There are two ways to do this: through the MMC interface, or through the command line. The MMC interface is easier. You right-click on the new certificate, select “All Tasks | Export”, and follow the prompts to export including the private key. However, the PowerShell commands are more flexible, so we’ll detail them here.
We use the following PowerShell commands in the same session.
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
This gets the path to the certificate in the store, by way of the $rootCert variable we stored earlier. (This is why you want to issue all of these commands in the same shell session, so the references to the generated certificates can be re-used.)
Next, we will use that certificate to generate two files, named FakeCA.pfx and FakeCA.crt, in your current working directory. FakeCA.pfx is the private key associated with the certificate, without which we can’t use it, and which must be password-protected. FakeCA.crt is the certificate itself, written out to a file.
Export-PfxCertificate -Cert $rootCertPath -FilePath 'FakeCA.pfx' -Password ("password" | ConvertTo-SecureString -AsPlainText -Force)
Export-Certificate -Cert $rootCertPath -FilePath 'FakeCA.crt'
In the code above, substitute in your own password where it says "password". Be sure to retain the quotes.
Step 4: Create a new certificate signed by the fake root authority
This next step generates an actual certificate signed by the fake root authority we created for this machine. Again, use the same PowerShell session for these commands too.
$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "SignedByFakeCA" -KeyExportPolicy Exportable -KeyLength 2048 -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert
As with the fake root authority, this certificate is kept in the machine’s local certificate store.
We also need to export the certificate and its private key to two files, as we did before. Be sure you use the same password for the private key that you defined above.
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password ("password" | ConvertTo-SecureString -AsPlainText -Force)
Export-Certificate -Cert $testCertPath -FilePath testcert.crt
Once again, when you’re done, you should have two files, named testcert.pfx and testcert.crt, in your current working directory.
Step 5: Install the fake root authority certificate to the Trusted Root Authorities Store
The next step is to make the fake root authority we created into a fully trusted authority on this machine. When we do this, all certificates signed by that authority will be treated as trusted (again, only on this machine). Then we can sign any number of certificates with that authority and have them all automatically be trusted in the same environment.
However, this will only work on a machine where the fake root authority certificate has been set up to be trusted. That’s by design. Self-signed certificates should work only in environments where we designate them as trustworthy.
To trust the fake root authority, go back to the Certificate Manager snap-in. In the right-hand pane, expand “Trusted Root Certification Authorities | Certificates”, then right-click Certificates and select “All Tasks | Import”.
