Here’s a short summary
Step 1: Generate a self-signed root certificate and install that in the trusted root certificates store.
Step 2: Generate a client authentication certificate that is derived from the root certificate and install that in the trusted root certificates store.
Part 1:
1. Open IIS.
2. Click on server certificates.
3. In the right panel, click on create a self-signed certificate.
4. Specify a friendly name for the certificate.
5. Select the certificate store for the new certificate. By default set it to “personal”.
6. The certificate created in step 5 automatically gets stored in Microsoft Management Console (MMC): Local Computer\Personal\Certificates’ section.
Part 2:
- Open Microsoft Management Console.
- Select File, and click Add/Remove Snap-in…
- Select the Certificates snap-in, and click Add.
- Select Computer account, and click Next.
- Select Local computer, and click Finish.
- Click OK.
- In the left panel, expand Certificates (Local Computer).
- Expand the Personal node, and click Certificates.
- Right-click on the newly created certificate, select All Tasks, and click Export…
- The Certificate Export Wizard will open. Click Next to continue.
- Verify Yes, export the private key is selected, set the password and click Next.
- Specify a file name with .pfx extension, and click Next.
- Click Next.
- Click Finish.
The certificate is stored at the specified location.
Installation part
- Right-click on the Trusted Root Certification Authorities folder, select All Tasks, and click Import…
- Browse the location of the newly created certificate.
- Verify the location of the certificate store and click next.
- Click finish.
Note: Perform the same task for trusted people folder
Generate a client authentication certificate that is derived from the root certificate.
Step 1:
Import the certificate with a private key (as generated in part 2) in “Current User\Personal\Certificates’ on your computer. Same steps to be followed for the installation in trusted root certification authorities folder and trusted people.
Step 2:
Use Powershell to create Client Certificate (child certificate) that is derived from a root certificate.
Identify the self-signed root certificate that is installed on the computer. This cmdlet returns a list of certificates that are installed on your computer.
Get-ChildItem -Path “Cert:\CurrentUser\My”
Locate the subject name from the returned list, then copy the thumbprint that is located next to it to a text file. In the following example, there are seven certificates. The CN name is the name of the self-signed root certificate from which you want to generate a child certificate. In this case, ‘ANU-PC’ with ’72’ thumbprint.
Declare a variable for the root certificate using the thumbprint from the previous step. Replace THUMBPRINT with the thumbprint of the root certificate from which you want to generate a child certificate.
$cert = Get-ChildItem -Path “Cert:\CurrentUser\My\THUMBPRINT”
For example, using the thumbprint for ‘ANU-PC’ in the previous step, the variable looks like this:
$cert=Get-ChildItem-Path
“Cert:\CurrentUser\My\4e70ca6774bb3bb80936c61bcc3c0f6f7962dd72”
Modify and run the example to generate a client certificate. If you run the following example without modifying it, the result is a client certificate named ‘P2SChildCert’. If you want to name the child certificate something else, modify the CN value. Do not change the TextExtension when running this example. The client certificate that you generate is automatically installed in ‘Certificates – Current User\Personal\Certificates’ on your computer
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” `
-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)
As you click on the child certificate’s certification path, you can see, “TestCertificate” is a root certificate of its child certificate “childTestCertificate-ANU-PC”. Here, TestCertificate is the server authentication certificate while childtestcertificate is the client authentication certificate.