A Step-by-Step Guide for Creating Self-Signed SSL in Windows 10
A self-signed certificate is a certificate that is signed by its own creator rather than by a certificate authority (CA). Self-signed certificates can be useful for testing purposes or internal uses but are not recommended for public-facing production websites as they will generate browser warnings. In this guide, we will cover steps on how to create self-signed certificate in Windows 10.
Overview of Self-Signed Certificates
- A self-signed certificate contains its own public and private key pair and is signed by its own private key rather than the private key of a CA. This means anyone can create a self-signed certificate without external validation.
- Because self-signed certificates are not issued by a trusted third-party CA, they will not be automatically trusted by browsers and operating systems. Users will see an untrusted certificate warning when accessing a site with a self-signed cert.
- Self-signed certificates are suitable for testing encrypted connections, establishing basic encryption on intranets, and other internal uses where limited access and manual trust establishment are acceptable.
- For public production websites that need trusted TLS encryption, a certificate issued by a public CA is required. The CA validates the requester’s identity and browsers trust certificates issued by the CA.
- In Windows 10, self-signed certificates can be created using the Certificates snap-in console or the PowerShell Certificates module. Both methods generate a self-signed cert with a .cer file extension.
Create a Self-Signed Certificate Using the Certificates Snap-in
Here are the steps to create a self-signed certificate using the Certificates console in Windows 10:
- Open the Start menu and search for “Manage computer certificates”. Click on the “Manage computer certificates” result.
- In the Certificates console, expand the Personal folder in the left pane.
- Right-click on the Certificates sub-folder and select All Tasks > Request New Certificate.
- Click Next on the first page of the Certificate Enrollment wizard.
- On the Request Certificates page, select the option to Create a self-signed certificate.
- Click Details and provide the following information:
- Name – A descriptive name for the certificate like “Self-Signed Test Certificate”.
- Bit length – The key size, typically 2048 or higher.
- Use Cryptography Provider – Leave at the default selection.
- Click OK to save the properties.
- On the Request Certificates page, click Enroll to generate the self-signed certificate.
- In the Certificates console, you should now see the new self-signed certificate in the Personal > Certificates folder. Double click to open it.
- On the General tab, you can view details about the certificate like the validity period.
- Click the Details tab and scroll down to Thumbprint. Copy the certificate thumbprint which is needed to export the certificate.
- Click OK to close the certificate.
Export the Self-Signed Certificate
To use the new self-signed certificate, it needs to be exported to a file. Here’s how to export the cert:
- Back in the Certificates console, right-click the new self-signed certificate and select All Tasks > Export.
- On the Certificate Export Wizard welcome screen, click Next.
- On the Export Private Key screen, select No, do not export the private key. Only export the certificate.
- Click Next. On the Export File Format screen, keep the default format of DER encoded binary X.509 (.CER).
- Click Next. On the File to Export screen, choose a location like your Desktop and give the exported certificate a descriptive name like “my-self-signed-cert.cer”.
- Click Next, then Finish to export the self-signed certificate. The .cer file will be saved in the chosen location.
The exported .cer file can then be imported or installed on servers or devices to utilize the self-signed certificate for encryption and identification purposes.
Create a Self-Signed Certificate in PowerShell
Self-signed certificates can also be generated using PowerShell on Windows 10. Here are the steps:
- Open a PowerShell session by typing “powershell” in the Windows search box or Start menu.
- Create a new .ps1 script file in a text editor like Notepad. Save it to your Desktop as a file like Create-Self-SignedCertificate.ps1.
- In the .ps1 file, type the following script:
$certificate = New-SelfSignedCertificate `
-Subject "CN=SelfSignedCert" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-NotAfter (Get-Date).AddYears(5) -Verbose
$certificatePath = "C:\Users\username\Desktop\self-signed.cer"
Export-Certificate -Cert $certificate -FilePath $certificatePath
- Update the subject, key export policy, key length, validity period, and file path as desired.
- Save and close the .ps1 file.
- In the PowerShell session, navigate to the location of the .ps1 file, such as:
cd C:\Users\username\Desktop
- Run the script by typing:
.\Create-Self-SignedCertificate.ps1
- If prompted to allow access to the private key, type Y to confirm.
- The script will generate a new self-signed certificate and export it to the defined file path as a .cer file.
- You can verify the new certificate by going to Certificates > CurrentUser > Personal in the Certificates console.
The exported .cer file contains the new self-signed certificate and can be installed or distributed as needed.
Install the Self-Signed Certificate
To use a self-signed certificate for server encryption like HTTPS or application authentication, it needs to be installed after export:
Install on Windows Server
- Copy the exported .cer file to the server.
- Open an elevated PowerShell prompt on the server.
- Import the certificate by running:
Import-Certificate -FilePath C:\path\to\cert.cer -CertStoreLocation Cert:\LocalMachine\My
- Bind the certificate to the server’s port by running:
netsh http add sslcert ipport=0.0.0.0:443 certhash=XXXXXXXXXX appid="{00112233-4455-6677-8899-AABBCCDDEEFF}"Use the certificate thumbprint for the certhash value.
Install on Windows Client
- Double-click the .cer file and click Install Certificate in the wizard.
- Choose Local Machine as the store location. Click Next, then Place all certificates in the following store.
- Click Browse and select Trusted Root Certification Authorities. Click OK.
- Click Next and Finish to install the certificate. Confirm the install if prompted.
The self-signed certificate is now trusted at the system level and can be used for client authentication purposes.
Remove or Delete a Self-Signed Certificate
If a self-signed certificate is no longer needed, it can be deleted:
Remove in Certificates Console
- Open the Certificates console and navigate to the certificate.
- Right-click the certificate and select All Tasks > Delete.
- Confirm the deletion by clicking Yes.
Remove in PowerShell
Identify the certificate thumbprint, then run:
Remove-Item Cert:\LocalMachine\My\THUMBPRINT -Force
This will permanently delete the self-signed certificate.
Conclusion
In summary, self-signed certificates are not issued by a certificate authority so they enable encryption without verified trust. While useful for testing and development purposes, self-signed certificates will generate errors on public production websites. On Windows 10, creating your own self-signed certificate is straightforward using either the Certificates console or PowerShell commands. Be sure to export the certificate and install it as a trusted root on systems that need to trust the self-signed cert. Follow the guidelines covered in this article to properly generate, distribute, manage, and delete self-signed certificates on your Windows devices and servers. Used appropriately, self-signed certificates provide a quick way to test and deploy transport layer security.
FAQs
Why are self-signed certificates considered untrusted?
Self-signed certificates are not issued by a trusted certificate authority that validates the requester’s identity. Anyone can generate a self-signed cert, so they are inherently untrusted until explicitly installed as trusted on a system or device.
Can I use a self-signed certificate for a public production website?
Self-signed certificates are not recommended for public-facing production websites because visitors will receive browser errors about the certificate being untrusted. Public sites should use certificates signed by a trusted certificate authority.
What are some typical uses for a self-signed certificate?
Self-signed certificates are commonly used for testing, development environments, intranets, IoT communications, and anywhere untrusted/insecure connections are acceptable. They are not suitable for public production websites.
What key size should I make a self-signed certificate?
For modern encryption strength, self-signed certificates should be generated with a 2048-bit or higher RSA key size. 1024-bit keys are considered insecure and should not be used.
How do I resolve trust warnings for a self-signed certificate?
Install the self-signed certificate as a trusted root certificate on any device that needs to trust it. On Windows, this means installing it in the Trusted Root Certification Authorities store. On Macs, add it as a trusted root in Keychain Access. On Linux, add it to the appropriate trusted certificates directory. Mobile devices also provide certificate installation options to trust specific self-signed certs.
What is the maximum validity period for a self-signed certificate?
When generating a self-signed certificate in Windows, the maximum validity period is 10 years. However, limitations may vary on other platforms. For better security, most recommendations suggest using shorter validity periods like 1-2 years for self-signed certs.
Can I sign a self-signed certificate with my own intermediates?
No, self-signed certificates are not issued by a root CA, so they cannot be chained to intermediate certificates. A self-signed cert can only ever have a single tier validity coming from its own self-generated private key signature.
Is there a size limit for self-signed certificates?
There is generally no inherent size limit. However, there may be restrictions imposed by the application or system that will be consuming the certificate. Most certificates are well under 5KB. Larger certificates may impact performance.
What characters can I use in the subject name for a self-signed certificate?
RFC5280 recommends using only English upper and lowercase letters, digits, and the hyphen for maximum compatibility in X.509 certificate subjects. Other symbols and special characters can produce issues unless specifically required.
