Powershell – Self-signed Certificate via Self-signed Root CA

Posted on Posted in Certificate, Powershell

The inspiration for this post came from my OpenVPN AWS instance and recent experience testing Server 2016 ADFS.  I wanted to stretch my legs beyond the simple flat certs I used for ADFS and sort of re-create a root CA signing event.  The OpenVPN Access Server was a great platform as it expects a CA bundle, a server certificate, and a server private key – all in .pem format.  I was able to complete the base certificates using powershell but had to leverage openssl eventually to get the .pem formats.  You are running bash on windows, yes?  OK , good.


Step 1 – Create the root certificate

Step 2 – Create the server cert signed by the new root

Step 3 – Add self-signed root to trusted root certificate store of current windows client

Step 4 – Export server certificate as .pfx

Step 5 – Extract server private key from .pfx to convert .crt to .pem

Step 6 – Browse to your OpenVPN admin page and login

  1. Configuration > Web Server
  2. CA Bundle > Choose File > rootCA.pem
  3. Certificate > Choose File > vpn.pem
  4. Private Key > Choose File > vpnkey.pem
  5. Select Validate
  6. Click Save
  7. Select Update Running Server
  8. Connection will drop

Step 7 – Re-open IE or Chrome and browse to main OpenVPN web page

  1. No more cert warnings