New-SelfSignedCertificate

Alistair · June 9, 2017, 12:54pm

Since makecert is deprecated I have to update instructions for generating certificates for a particular customer using New-SelfSignedCertificate.

While I am able to generate the certificate, I receive the beloved message below when trying to use the certificate:

Invalid algorithm specified.

This is the set of parameters currently being used:

New-SelfSignedCertificate -Subject ‘CN=BridgeTest’ -KeyUsage DataEncipherment -KeyAlgorithm RSA -KeyExportPolicy Exportable -KeySpec Signature -NotAfter (Get-Date).AddYears(20) -HashAlgorithm sha256 -KeyLength 2048

Suggestions as to generate a usable certificate? Also, could you update your documentation to use the new tool.

Thanks,
Alistair.

ComponentSpace · June 10, 2017, 5:45pm

Hi Alistair
You need to specify the Microsoft Enhanced RSA and AES Cryptographic Provider as this is required to generate SHA-256 signatures.
You need to include -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider”
For example:

New-SelfSignedCertificate
-Subject “www.idp.com”
-CertStoreLocation cert:\LocalMachine\My
-Provider “Microsoft Enhanced RSA and AES Cryptographic Provider”
-HashAlgorithm SHA256
-KeyLength 2048
-NotAfter 1/1/2050

Alistair · June 12, 2017, 6:26am

[quote]

ComponentSpace - 6/10/2017

Hi Alistair
You need to specify the Microsoft Enhanced RSA and AES Cryptographic Provider as this is required to generate SHA-256 signatures.
You need to include -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
For example:

New-SelfSignedCertificate
-Subject "www.idp.com"
-CertStoreLocation cert:\LocalMachine\My
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
-HashAlgorithm SHA256
-KeyLength 2048
-NotAfter 1/1/2050

[/quote]

Awesome, that works perfectly, so much easier than makecert!

ComponentSpace · June 12, 2017, 2:45pm

You’re welcome and yes, I agree.