Recently, I discovered that the self-signed certificates generated for our domain controllers expired. Since they are used primarily for a third-party tool on the same internal network, self-signed certificates are sufficient. Unfortunately for some but definitely fortunately for me, there was no documentation as to how these certificates were generated years ago. This serves as a perfect opportunity for me to learn something new, and to create a blog post to share my knowledge with others.
During my research, I stumbled upon this post which guided me through two possible solutions to this issue since there is no Certificate Authority (CA) set up in my environment as of yet. Again there’s no need to purchase a certificate through 3rd party CA either for our intended purpose.
- Create a self-signed certificate with IIS
- Create a self-signed certificate with PowerShell
There are plenty of posts on the Internet such as this one on how to create a self-signed certificate with IIS. However, one drawback with this approach is that only Server Authentication is included which is by design per Microsoft. But more importantly, one should never install IIS on the domain controller to eliminate any potential security threat.
Creating a self-signed certificate with PowerShell would then be the next best choice. Again, there are plenty of posts out there such as this one showing you the basic steps. Using this method, I noticed that by default the self-signed certificate is valid only for 1 year. I then stumbled upon this self-signed certificate generator which gives you additional flexibility. Without it, you may have to manually configure specific properties within the self-signed certificate.
While there is no excuse not to be well-versed with PowerShell in this day and age, you may find this solution somewhat mind-boggling. By luck, I discovered a free GUI tool created by itiverba which helps accomplish this task so much easier. And did I say it’s free?
With this Self Signed Certificate Generator, I simply enter the information and check off the applicable boxes to generate the certificate. I can even run this tool on my local machine, and the self-signed certificate will still get generated as if it is created on the domain controllers instead.