Generating self-signed certificate for domain controllers

Recently, I discovered that the self-signed certificates generated for our domain controllers expired. Since they are used primarily for a third-party tool on the same internal network, self-signed certificates are sufficient. Unfortunately for some but definitely fortunately for me, there was no documentation as to how these certificates were generated years ago. This serves as a perfect opportunity for me to learn something new, and to create a blog post to share my knowledge with others.


During my research, I stumbled upon this post which guided me through two possible solutions to this issue since there is no Certificate Authority (CA) set up in my environment as of yet. Again there’s no need to purchase a certificate through 3rd party CA either for our intended purpose.

  • Create a self-signed certificate with IIS
  • Create a self-signed certificate with PowerShell

There are plenty of posts on the Internet such as this one on how to create a self-signed certificate with IIS. However, one drawback with this approach is that only Server Authentication is included which is by design per Microsoft. But more importantly, one should never install IIS on the domain controller to eliminate any potential security threat.

Creating a self-signed certificate with PowerShell would then be the next best choice. Again, there are plenty of posts out there such as this one showing you the basic steps. Using this method, I noticed that by default the self-signed certificate is valid only for 1 year. I then stumbled upon this self-signed certificate generator which gives you additional flexibility. Without it, you may have to manually configure specific properties within the self-signed certificate.


While there is no excuse not to be well-versed with PowerShell in this day and age, you may find this solution somewhat mind-boggling. By luck, I discovered a free GUI tool created by itiverba which helps accomplish this task so much easier. And did I say it’s free?


With this Self Signed Certificate Generator, I simply enter the information and check off the applicable boxes to generate the certificate. I can even run this tool on my local machine, and the self-signed certificate will still get generated as if it is created on the domain controllers instead.


Mission accomplished!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.