Using certreq to create selfsigned certificates

So sometimes you need to create self-signed certificates in windows. Sometimes I have done it using Openssl software, Windows 2012 and later does include Powershell support using New-SelfSignedCertificate. But all versions of Windows does include all the binaries required to do it natively. It is a two part thing, first create the INF file and then run certreq using that file.

It will create and sign the certificate. Im not really sure why it is also asking where to store the CSR (Certificate Signing Request) so I just close that dialog.

A super simple self-signed certificate

It does not get any simpler than this. It will not limit the intended purposes of the certificate and not really good key size. Sure we can make it better by adding some intended purposes and cryptology

A better self-signed certificate

But now and then we need that the certificate need answer for multiple names a so called SAN certificate.

A SAN certificate


Technet – Certreq

Check state of CRL checking.

Okey I had the need to check what values were set for the Software Publishing “State”. This is the registry value where Windows stores if it should do CRL revocation check or say all okey even if the CRL is unavailable. And some other stuff. I found all the values on the MSDN page WintrustGetRegPolicyFlags. So I wrote a small Powershell function to help decode it.

Example of running Get-WintrustGetRegPolicyFlags

And here is the function: [Read more…]