Can you generate a self signed certificate on Windows Server using CLI tools like certreq and certutil?

Solution 1:

There is a way of doing it, using just %Windir%\System32\certreq.exe -new in.txt

... where in.txt is an input file in .ini syntax, as described in the documentation for certreq -new

The trick is to set RequestType = Cert. As per the note in the doc:

This option indicates a self-signed or self-issued certificate. It does not generate a request, but rather a new certificate and then installs the certificate.Self-signed is the default.

The doc is almost right ... a new self-signed certificate is installed (as can be verified by using certutil -viewstore). Don't let it confuse you though ... it still insists on throwing up a dialog to let you choose where to save the 'request' ... save it to keep the tool happy, and then delete it later.

Solution 2:

There are all kinds of ways to do this. Next time simply searching the web should provide you with thousands of sites with instructions.

Either way the easiest way to generate certs, for me at least, is just to fire up IIS and use the SSL tools within IIS to request a certificate. Sure there are CLI tools, but the step by step wizard is a piece of cake to use without having to remember formatting.

If you really want to do this via the CLI you can follow these instructions and obtain the makecert tool from Microsoft: http://msdn.microsoft.com/en-US/library/bfsktky3(v=VS.80).aspx