19

I have found this answer, but it doesn't seem to work when trying to create a wildcard certificate.

I have taken the following steps:

  1. Added a certificate to my server with the Powershell command.

New-SelfSignedCertificate -DnsName myhostname01,*.myhostname01 -CertStoreLocation Cert:\LocalMachine\My (I slightly censored the URL to avoid potentially unsafe situations).

  1. Next, I used the SSL certificate in a binding on my IIS server.

  2. I visited the page in Chrome. As expected, the certificate is marked unsafe.

enter image description here

  1. I saved a local copy of the certificate, and manually added a copy of of the certificate to my Chrome trusted CA's. However, the certificate is still not recognized:

    enter image description here

  2. The details of the certificate look like this:

enter image description here

Now, the certificates and URL I am visiting and have set up in my hosts file are all the same. There are no spelling errors. My question: am I using New-SelfSignedCertificate wrong? Or am I doing something wrong somewhere else?

Community
  • 1
  • 1
yesman
  • 7,165
  • 15
  • 52
  • 117
  • 1
    Can you use a code block instead of an image for your sample code? It's difficult to read exactly what you are doing. – TravisEz13 Jun 09 '16 at 19:02
  • I've changed the powershell command per your request, but I can't accurately describe in code or text what windows I'm looking at. – yesman Jun 10 '16 at 06:23

2 Answers2

41

For anyone else who might arrive at this question clinging onto what's left of their sanity, the answer that ended up working for me was this:

New-SelfSignedCertificate -Subject *.my.domain -DnsName my.domain, *.my.domain -CertStoreLocation Cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(10)

Vinney Kelly
  • 4,975
  • 1
  • 25
  • 31
  • While the project I needed it for has already stopped, I can still use this for my next one. Thanks! – yesman Jul 06 '17 at 06:54
  • Do you remember what version and OS you used for PowerShell? I'm having issues with the NotAfter paramter. – aaronR Oct 27 '17 at 14:24
  • @aaronR: I think you should have a problem with the Subject parameter as well. As far as I see, the NotAfter parameter (just like the Subject parameter) is supported only by the WS2016 / W10 version of the cmdlet, see: https://technet.microsoft.com/de-at/library/hh848633(v=wps.640) – pholpar Dec 05 '17 at 21:36
  • 1
    Finally!! No hair left on my head but at least it's working at last. – Shimmy Weitzhandler Jul 25 '19 at 03:51
0

A SSL wild card certificate should have one subject with the wildcard and the rest of the DNS names should be in the Subject Alternative Name, which is provided by the DNSName parameter. I believe the example below will do what you want.

Example

New-SelfSignedCertificate -Subject *.myhostname01  -DnsName myhostname01 -CertStoreLocation Cert:\LocalMachine\My 
dir Cert:\LocalMachine\My\ | Where-Object {$_.Subject -eq 'CN=*.myhostname01'} | ForEach-Object {
    [PSCustomObject] @{
        Subject = $_.Subject
        SAN = $_.DnsNameList
    }
}

Result

Subject           SAN
-------           ---
CN=*.myhostname01 {myhostname01}

References

TravisEz13
  • 2,263
  • 1
  • 20
  • 28
  • Thanks! However, I get the error message `A parameter cannot be found that matches parameter name 'Subject'.` I'm on Windows Server 2012, with IIS8, so this command should work. But it doesn't! – yesman Jun 13 '16 at 07:46
  • 1
    I know this CmdLet was changed in WMF 5.0. WMF 5.0 is available for download [here](https://www.microsoft.com/en-us/download/details.aspx?id=50395) – TravisEz13 Jun 13 '16 at 15:14