Reputation: 1832
New-SelfSignedCertificate to create certificate gives Access Denied
I'm trying to use New-SelfSignedCertificate in PowerShell to create a certificate on Windows 10, but the command gives me a permissions error. I'm using an Administrator account.
Command:
New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName MyCert -CertStoreLocation "Cert:\LocalMachine\My"
Output:
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)
At line:1 char:1
+ New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, ..."
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
Upvotes: 23
Views: 28144
Answers (4)
Reputation: 66
If you do not want to store the new certificate in any certificate store - which is possible by just omitting parameter -CertStoreLocation, you need elevated rights.
So it comes down to two options:
- Use the certificate store
Cert:\CurrentUser\My - Run with elevated rights and use any or no certificate store
I did expect New-SelfSignedCertificat to work without elevated rights when not using a certificate store at all, but
PS D:\> $cert = New-SelfSignedCertificate -DnsName 'my.value' -KeyAlgorithm 'RSA' -KeyLength 2048 -Subject 'very important'
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied 0x80090010 (-2146893808 NTE_PERM)
Upvotes: 0
Reputation: 12138
Create a certificate for your local user account by specifying a different certificate location:
New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" [...]
Upvotes: 10
Reputation: 10044
As mentioned in the comments, although PowerShell.exe is run under a user account with "Administrative Rights". The process cannot use those rights unless it is elevated.
PowerShell windows will add "Administrator:" in the title bar by default. Otherwise you can check if you an administrator by running this command:
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
When you launch PowerShell if done by GUI, you can Right-Click -> Run as Administrator.
Otherwise you can spawn a new process that is elevated by running Start-Process powershell.exe -Verb Runas
Upvotes: 26
Related Questions
- New-SelfSignedCertificate -CertStoreLocation cannot find path
- New-SelfSignedCertificate does not generate an exportable key
- New-SelfSignedCertificate will not run on Windows 7
- Unable to generate self signed certificate using Powershell
- How to Set Cryptographic Provider to New-SelfSignedCertificate Properly?
- Powershell creating new self signed certificate. Root CA Certificate: extendedKeyUsage MUST NOT be present.t
- Using PowerShell to Create Self-Signed Certificate
- Creating self signed certificate - ./makecert using powershell
- PowerShell: New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Invalid flags specified. 0x80090009
- New-SelfSignedCertificateEx fails with NTE_NOT_SUPPORTED