New-SelfSignedCert.ps1

###########################################################################
#.SYNOPSIS
# Demo how to create a self-signed certificate.
#
#.DESCRIPTION
# Create a self-signed certifiate with its private key, then 1) export the
# certificate to a DER-encoded .CER file and 2) export the certificate and
# private key to a PKCS#12 .PFX file with a hard-coded password.  
#
#.NOTES
# The KeyEncipherment key usage and the Enhanced CSP are needed for the 
# password archive script lab using the Update-PasswordArchive.ps1 script,
# but these may be changed, of course, for other purposes. See the help
# for the New-SelfSignedCertificate cmdlet for the other options.  
###########################################################################


# Create a hashtable of parameters and arguments für Das Splat:
$Splat = @{ CertStoreLocation = "Cert:\CurrentUser\My" ; 
            DnsName = "PasswordArchive" ;
            NotAfter = (Get-Date).AddYears(20) ;
            KeyUsage = "KeyEncipherment" ;
            KeyAlgorithm = "RSA" ;
            KeyLength = 4096 ;
            HashAlgorithm = "SHA256" ;
            Provider = "Microsoft Enhanced Cryptographic Provider v1.0" }


# Create self-signed certificate with priv key, which will also import the 
# cert and key into the local profile of the user running this script:
$Cert = New-SelfSignedCertificate @Splat

# Now this new cert can be seen in the Certificates MMC snap-in and also
# in the PowerShell Cert:\CurrentUser\My\ drive.

# Export the certificate only (not priv key) to a CER file:
Export-Certificate -Cert ("Cert:\CurrentUser\My\" + $Cert.Thumbprint) -FilePath .\PublicKeyCert.cer 


# Password to encrypt the exported private key:
$pw = ConvertTo-SecureString -String "P@ssword" -Force -AsPlainText

# Export the certificate and priv key to the PFX file:
Export-PfxCertificate -Cert ("Cert:\CurrentUser\My\" + $Cert.Thumbprint) -FilePath .\PrivateKey.pfx -Password $pw