Hi all
I am working on creating a few certificates using New-SelfSignedCertificate cmdlet for a test lab. The first certificate is my root. The second certificate is the subordinate. What I want to do is be able to sign other certificates using the subordinate certificate. I have no issues creating the subordinate certificate from the root certificate. When I try and sign a new certificate from the subordinate, I don’t get any error from PowerShell but the resulting certificate has this error
‘This certificate is not vaild because one of the certificate authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate.’
Under the Certification Path tab the subordinate certificate says this
‘This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate.’
The commands I am using are
For root
$Cert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -TextExtension @(“2.5.29.19 ={text}CA:true”) -FriendlyName “testRoot”: -Subject “testRoot” -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -certstorelocation cert:\localmachine\My -dnsname “mydomain.com”
I manually copy this cert to Cert:\localmachine\root
For subordinate
$SubCert=New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -KeyUsageProperty All -HashAlgorithm SHA256 -Subject “testSubordinate” -KeyLength 4096 -Signer $Cert -FriendlyName “SubCA-01” -certstorelocation cert:\localmachine\my -dnsname “mydomain.com”
Any other certificate I try and create I use this
$NewCert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment -KeyUsageProperty All -HashAlgorithm SHA256 -Subject “Win10E-VM02” -KeyLength $KeyLength -Signer $SubCert -FriendlyName “SubCA-01” -certstorelocation cert:\localmachine\my -dnsname “mydomain.com”
If I try and modify the -TextExtension PowerShell gives an error that the parameter is incorrect.
Any help would be appreciated
Thanks
Tim