ESET Online Help

Search English
Select the topic

Generate a custom (self-signed) SSL Certificate

Generate self-signed certificate using Windows PowerShell

Generate a custom SSL certificate and import it to the essential stores on Windows Server 2012 R2.

1.Open Window PowerShell.

2.Execute the following commands:

a.$customcertificate = New-SelfSignedCertificate -DnsName "<FQDN>" -CertStoreLocation "cert:\localmachine\my"
In the command above, replace <FQDN> with the corresponding subject name version displayed in the ESA Web Console at Components > Invitations > Server access.
If you define multiple DnsNames, for example:
-DnsName "", "my.authentication.server", "twofactor.auth"
The first entry ("" in above example) will be used in the Subject field, and subsequent entries are used in the Subject Alternative Name field of the certificate.

b.$exportpassword = ConvertTo-SecureString -String '<password>' -Force -AsPlainText

In the command above, replace <password> with a password of your choice.

c.$certPath = 'cert:\localMachine\my\' + $customcertificate.thumbprint

d.Export-PfxCertificate -cert $certPath -FilePath $env:USERPROFILE\Desktop\ESAcustomCertificate.pfx -Password $exportpassword

This final command will place the ESAcustomCertificate.pfx certificate on your desktop.

3. To open the Run dialog, press the Windows key + R.

4.Add the Certificate snap-in:

a.Type mmc and press Enter.

b.Click File > Add/Remove Snap-in.

c.Select Certificates > Add.

d.Select Computer Account, click Next, and then click Finish. Click OK to close the Add or Remove Snap-ins window.

5.Import the applicable certificate:

a.In the left pane of MMC, expand Certificates (Local Computer) > Personal, and right-click Certificates.

b.Select All Tasks > Import.

c.In the import wizard, click Next, click Browse; from the file extension drop-down menu, select Personal Information Exchange (*.pfx, *.p12), locate the exported certificate file, click Open, and then click Next.

d.Type the password used in the second command above and click Next.

e.Select Place all certificates in the following store and type Personal for the store name. Click Next and click Finish.

6.In the left pane of MMC expand Certificates (Local Computer) > Trusted Root Certification Authorities, and right-click Certificates.

7.Select All Tasks > Import, and repeat steps 6a to 6c.

8.Double-click the certificate in Certificates (Local Computer) > Personal > Certificates and verify the line You have a private key that corresponds to this certificate is displayed.

If you need a .crt and .key file instead of .pfx, convert .pfx to .crt and .key using OpenSSL or other preferred method.

Convert .pfx to .crt, .key using OpenSSL

Verify OpenSSL for Windows is installed and then execute the commands below.

openssl pkcs12 -in D:\ESAcustomCertificate.pfx -clcerts -nokeys -out D:\ESAcustomCertificate.crt

When the Enter Import Password is displayed, type the password defined in the Export-PfxCertificate command when generating the Certificate via Windows PowerShell.

openssl pkcs12 -in D:\ESAcustomCertificate.pfx -nocerts -out D:\ESAcustomCertificate_encrypted.key

For Enter PEM pass phrase, define a new password at least four characters long.

openssl rsa -in D:\ESAcustomCertificate_encrypted.key -out D:\ESAcustomCertificate.key

When prompted, type the same password you defined for Enter PEM pass phrase.


Generate self-signed certificate using OpenSSL

Verify OpenSSL for Windows is installed.

Create a configuration file

To avoid an "Invalid certificate" warning, the ESAcustomCertificate.conf file must include the list of alternative DNS names by which the authentication server will be available. The command above will generate newKey.rsa and newCertificate.crt files.

Sample content of ESAcustomCertificate.conf file:

[ req ]

default_bits       = 4096

distinguished_name = req_distinguished_name

req_extensions     = req_ext

x509_extensions    = x509_ext


[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

countryName_default         = SK

stateOrProvinceName         = State or Province Name (full name)

stateOrProvinceName_default = Slovakia

localityName                = Locality Name (eg, city)

localityName_default        = Bratislava

organizationName            = Organization Name (eg, company)

organizationName_default    = My company running ESA

commonName                  = Common Name (e.g. server FQDN)

commonName_default          =


[ req_ext ]

subjectAltName = @alternative_names


[ x509_ext ]

subjectAltName = @alternative_names



DNS.1   =

DNS.2   = my.authentication.server

DNS.3   = twofactor.auth

DNS.4   =

IP.1    =

Generate an OpenSSL certificate and key using Windows command line.

openssl req -config D:\ESAcustomCertificate.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout D:\ESAcustomCertificate.key -days 365 -out D:\ESAcustomCertificate.crt

If the commonName was pre-configured correctly in the configuration file, press Enter when the CommonName prompt is displayed.