Generate a custom (self-signed) SSL Certificate

Generate self-signed certificate using Windows PowerShell

Generate a custom SSL certificate and import it to the essential stores on Windows Server 2012 R2.

1.Open Window PowerShell.

2.Execute the following commands:

a.$customcertificate = New-SelfSignedCertificate -DnsName "<FQDN>" -CertStoreLocation "cert:\localmachine\my"
 
In the command above, replace <FQDN> with the corresponding subject name version displayed in the ESA Web Console at Components > Invitations > Server access.
If you define multiple DnsNames, for example:
-DnsName "my.esa.installation.com", "my.authentication.server", "twofactor.auth"
 
The first entry ("my.esa.installation.com" in above example) will be used in the Subject field, and subsequent entries are used in the Subject Alternative Name field of the certificate.

b.$exportpassword = ConvertTo-SecureString -String '<password>' -Force -AsPlainText

In the command above, replace <password> with a password of your choice.

c.$certPath = 'cert:\localMachine\my\' + $customcertificate.thumbprint

d.Export-PfxCertificate -cert $certPath -FilePath $env:USERPROFILE\Desktop\ESAcustomCertificate.pfx -Password $exportpassword

This final command will place the ESAcustomCertificate.pfx certificate on your desktop.

3. To open the Run dialog, press the Windows key + R.

4.Add the Certificate snap-in:

a.Type mmc and press Enter.

b.Click File > Add/Remove Snap-in.

c.Select Certificates > Add.

d.Select Computer Account, click Next, and then click Finish. Click OK to close the Add or Remove Snap-ins window.

5.Import the applicable certificate:

a.In the left pane of MMC, expand Certificates (Local Computer) > Personal, and right-click Certificates.

b.Select All Tasks > Import.

c.In the import wizard, click Next, click Browse; from the file extension drop-down menu, select Personal Information Exchange (*.pfx, *.p12), locate the exported certificate file, click Open, and then click Next.

d.Type the password used in the second command above and click Next.

e.Select Place all certificates in the following store and type Personal for the store name. Click Next and click Finish.

6.In the left pane of MMC expand Certificates (Local Computer) > Trusted Root Certification Authorities, and right-click Certificates.

7.Select All Tasks > Import, and repeat steps 6a to 6c.

8.Double-click the certificate in Certificates (Local Computer) > Personal > Certificates and verify the line You have a private key that corresponds to this certificate is displayed.

If you need a .crt and .key file instead of .pfx, convert .pfx to .crt and .key using OpenSSL or other preferred method.

Convert .pfx to .crt, .key using OpenSSL

Verify OpenSSL for Windows is installed and then execute the commands below.

When the Enter Import Password is displayed, type the password defined in the Export-PfxCertificate command when generating the Certificate via Windows PowerShell.

For Enter PEM pass phrase, define a new password at least four characters long.

When prompted, type the same password you defined for Enter PEM pass phrase.

 

Generate self-signed certificate using OpenSSL

Verify OpenSSL for Windows is installed.

Create a configuration file

To avoid an "Invalid certificate" warning, the ESAcustomCertificate.conf file must include the list of alternative DNS names by which the authentication server will be available. The command above will generate newKey.rsa and newCertificate.crt files.

Sample content of ESAcustomCertificate.conf file:

Generate an OpenSSL certificate and key using Windows command line.

If the commonName was pre-configured correctly in the configuration file, press Enter when the CommonName prompt is displayed.

˄˅