Powershell – Self-signed Certificate via Self-signed Root CA

The inspiration for this post came from my OpenVPN AWS instance and recent experience testing Server 2016 ADFS.  I wanted to stretch my legs beyond the simple flat certs I used for ADFS and sort of re-create a root CA signing event.  The OpenVPN Access Server was a great platform as it expects a CA bundle, a server certificate, and a server private key – all in .pem format.  I was able to complete the base certificates using powershell but had to leverage openssl eventually to get the .pem formats.  You are running bash on windows, yes?  OK , good.

 

Step 1 – Create the root certificate

$params = @{
  DnsName = "infiniteloop.io Root Cert"
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(5)
  CertStoreLocation = 'Cert:\LocalMachine\My'
  KeyUsage = 'CertSign','CRLSign' #fixes invalid cert error
}
$rootCA = New-SelfSignedCertificate @params

Step 2 – Create the server cert signed by the new root

$params = @{
  DnsName = "vpn.infiniteloop.io"
  Signer = $rootCA
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-date).AddYears(2)
  CertStoreLocation = 'Cert:\LocalMachine\My'
}
$vpnCert = New-SelfSignedCertificate @params

Step 3 – Add self-signed root to trusted root certificate store of current windows client

# Extra step needed since self-signed cannot be directly shipped to trusted root CA store
# if you want to silence the cert warnings on other systems you'll need to import the rootCA.crt on them too
Export-Certificate -Cert $rootCA -FilePath "C:\certs\rootCA.crt"
Import-Certificate -CertStoreLocation 'Cert:\LocalMachine\Root' -FilePath "C:\certs\rootCA.crt"

Step 4 – Export server certificate as .pfx

Export-PfxCertificate -Cert $vpnCert -FilePath 'C:\certs\vpn.pfx' -Password (ConvertTo-SecureString -AsPlainText 'securepw' -Force)

Step 5 – Extract server private key from .pfx to convert .crt to .pem

# enter bash session from cmd as admin and cd to directory containing vpn.pfx
cd /mnt/c/certs

# convert root ca certificate to pem format
openssl x509 -inform DER -in rootCA.crt -out rootCA.pem

# export server private key to pem format
openssl pkcs12 -in vpn.pfx -nocerts -nodes -out vpnkey.pem

# convert server certificate to pem format
openssl x509 -inform DER -in vpn.crt -out vpn.pem

Step 6 – Browse to your OpenVPN admin page and login

  1. Configuration > Web Server
  2. CA Bundle > Choose File > rootCA.pem
  3. Certificate > Choose File > vpn.pem
  4. Private Key > Choose File > vpnkey.pem
  5. Select Validate
  6. Click Save
  7. Select Update Running Server
  8. Connection will drop

Step 7 – Re-open IE or Chrome and browse to main OpenVPN web page

  1. No more cert warnings