So sometimes you need to create self-signed certificates in windows. Sometimes I have done it using Openssl software, Windows 2012 and later does include Powershell support using New-SelfSignedCertificate. But all versions of Windows does include all the binaries required to do it natively. It is a two part thing, first create the INF file and then run certreq using that file.

certreq -New -Machine policy.inf

It will create and sign the certificate. I’m not really sure why it is also asking where to store the CSR (Certificate Signing Request) so I just close that dialog.

A super simple self-signed certificate

[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=fqdn.of.the.server"
Requesttype = Cert

It does not get any simpler than this. It will not limit the intended purposes of the certificate and not really good key size. Sure we can make it better by adding some intended purposes and cryptology.

A better self-signed certificate

>[Version]
Signature="$Windows NT$

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[NewRequest]
Subject = "CN=fqdn.of.the.server"
Requesttype = Cert
KeyLength = 2048
FriendlyName = "Friendly Selfsigned Certificate"
HashAlgorithm = sha256

[Extensions]
%szOID_ENHANCED_KEY_USAGE%="{text}%szOID_PKIX_KP_SERVER_AUTH%,"
_continue_ = "%szOID_PKIX_KP_CLIENT_AUTH%"

But now and then we need that the certificate need answer for multiple names a so called SAN certificate.

A SAN certificate

[Version]
Signature="$Windows NT$

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[NewRequest]
Subject = "CN=fqdn.of.the.server"
Requesttype = Cert
KeyLength = 2048
FriendlyName = "Friendly Selfsigned Certificate"
HashAlgorithm = sha256

[Extensions]
%szOID_ENHANCED_KEY_USAGE%="{text}%szOID_PKIX_KP_SERVER_AUTH%,"
_continue_ = "%szOID_PKIX_KP_CLIENT_AUTH%"
2.5.29.17 = "{text}"
_continue_ = "dns=alternative.fqdn.name&"
_continue_ = "ipaddress=127.0.0.1&"

Sources