Create a self-signed certificate with PowerShell New-SelfSignedCertificate or Makecert.exe

How to create a self-signed certificate for website development on your machine.

 

If you're on Windows 10 or greater, use Powershell instead of Makecert.exe
The PowerShell command "New-SelfSignedCertificate" makes a better certificate than Makecert.exe. New-SelfSignedCertificate will create a certificate with a "Subject Alternative Name", which modern browsers check to validate the certificate. Without the SAN, modern browsers may show the certificate as untrusted even though in every other aspect it's perfectly fine. Makecert.exe cannot create the SAN.

If you're on Windows 7 and you have access to a Windows 10 machine, you could make the certificate using PowerShell on Windows 10 and then export it and load it on your Windows 7 machine. Another way to create a certificate on Windows 7 with a SAN is to use OpenSSL.

On Windows 10, open the PowerShell IDE and execute the following command to make the company certificate.
 
$rootCert = New-SelfSignedCertificate -DnsName "Your Company Name Dev Root CA" -CertStoreLocation cert:\LocalMachine\My -KeyUsage DigitalSignature,CertSign
 
Then use Powershell to create the site certificate. In this example, I'm creating a wildcard certificate that will work for any site on my machine ending in .local.net.
 
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName "*.local.net" -Signer $rootcert -KeyUsage KeyEncipherment,DigitalSignature -NotAfter (Get-Date).AddYears(10)
 
After you've created both certificates, open mmc.exe, add the Certificates Plugin, and drag the company name certificate from the Personal->Certificates folder to the Trusted Root Certification Authorities -> Certificates folder.


 
If you're on Windows 7, you can use Makecert.exe to create a trusted root certificate without the SAN.
Open a command window as Administrator and execute the following makecert.exe command:
 
makecert.exe -n "CN=Your Company Dev Root CA,O=Your Company,OU=Development,L=Your City,S=Your State,C=Your country" -pe -ss Root -sr LocalMachine -sky exchange -m 120 -a sha256 -len 2048 -r
 
Then use Makecert.exe to create the site certificate. In this example, I'm creating a wildcard certificate that will work for any site on my machine ending in .local.net.
 
makecert.exe -n "CN=*.local.net" -pe -ss My -sr LocalMachine -sky exchange -m 120 -in "Your Company Dev Root CA" -is Root -ir LocalMachine -a sha256 -eku 1.3.6.1.5.5.7.3.1