How to create a self-signed certificate using PRINTABLE_STRING, IA5STRING or BMPSTRING as certificate fields?

Question

I need to know how I can make sure certificate fields of my self-signed certificate, like subject common name and issuer common name, is encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING, but not UTF-8 encoding.

I'm trying to create it using PowerShell cmdlet.

I'm trying to create a self-signed certificate that conforms to these rules.

These are the parameters I found that I think comply with those rules.

New-SelfSignedCertificate -DnsName 'wdac' -CertStoreLocation Cert:\CurrentUser\My\ -Type Codesigning -HashAlgorithm "SHA512" -KeyLength 4096 -KeyAlgorithm RSA

Answer 1

You can easily do this using Windows Server (it's free for 180 days and you only need it for 30 mins or less). You can grab the latest Windows server, install it on a Hyper-V VM, create your code signing certificate, set its expiration date to 50 or 100 years so you won't need to repeat this process again.

The certificate generated using the template in Enterprise CA role in Windows server has the correct encoding for the subject and works perfectly with WDAC.

Here is my guide:

https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control

Alternatively you can just use the app i built (free, open-source) that automates everything related to WDAC/App Control for you: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager