Self-signed certificates for testing

The method that is least recommended is using self-signed certificates. Using a self-signed certificate has no real value, especially in an enterprise environment, and is only useful when testing (for example, certificate-based authentication or code signing). It basically means that you act as the CA and sign your own certificate. Much like printing your own passport won't get you through customs, a self-signed certificate cannot be used in a production environment.

PowerShell makes it very easy to generate all kinds of certificates to test. Unfortunately, this only works in Windows PowerShell. In PowerShell Core, external tools are the way to go.

Writing PowerShell scripts in Linux on a Windows 10 machine is easier than ever, with the Windows Subsystem for Linux! Select a supported version, and then check out https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-powershell-core-on-linux for how to install PowerShell Core.

The following code illustrates how to create a self-signed code signing certificate to test signing on Windows and Linux with Windows PowerShell and PowerShell Core:

# The PKI module is not yet available for PowerShell core
# While .NET core supports creating self-signed certificates
# the module does not work in PowerShell core

# SSL
# Windows PowerShell
New-SelfSignedCertificate -DnsName "host.domain.internal", "domain.com" -CertStoreLocation "cert:LocalMachineMy"

# PowerShell Core on Windows
$rootArguments = @(
    '-r' # Generate self-signed
    '-pe' # Private key exportable
    '-n "CN=OnTheFlyCA"' # Name
    '-ss CA' # Cert store
    '-a sha256' # Hash algorithm
    '-sky signature' # Key spec. Here: Digital Signature
    '-cy authority' # Certificate type. Here: CA
    '-sv CA.pvk' # Key file
    'CA.cer' # Output file
)
Start-Process -FilePath makecert -ArgumentList $rootArguments -Wait -NoNewWindow

$sslArguments = @(
    '-pe'
    '-n "host.domain.internal"'
    '-a sha256'
    '-sky Exchange'
    '-eku 1.3.6.1.5.5.7.3.1' # Enhanced key usage
    '-ic CA.cer' # Issuer certificate
    '-iv CA.pvk' # Issuer key
    '-sp "Microsoft RSA SChannel Cryptographic Provider"'
    '-sy 12'
    '-sv server.pvk'
    'server.cer'
)
Start-Process -FilePath makecert -ArgumentList $sslArguments -Wait -NoNewWindow

# Generate Personal Information Exchange (pfx)
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx

# PowerShell Core on Unix

# Generates a new Certificate Signing Request and stores the
# private key to privkey.pem
sudo openssl req -new > sslcert.csr

# Generate a new private key - the one you need to protect
sudo openssl rsa -in privkey.pem -out server.key

# Generate an x509 certificate signed by our private key
# sslcert.cert is your public SSL certificate
sudo openssl x509 -in sslcert.csr -out sslcert.cert -req -signkey server.key -days 365

# Code signing
New-SelfSignedCertificate -Subject "CN=CodeSigningIsGreat" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert

# Document encryption (for CMS or DSC)
New-SelfSignedCertificate -Subject '[email protected]' -KeyUsage KeyEncipherment -CertStoreLocation Cert:CurrentUserMy -Type DocumentEncryptionCert
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset