I am trying to make self certificate without the prompt, c:\Program Files (x86)\Microsoft Office\root\Office16\selfcert.exe does prompt for a name …. I am using the powershell cmdlet New-SelfSignedCertificate but looking at the extensions yhe result seems to be missing the Authority Key Identifier?
As to the AKI, I’ve never come across a reason to use it with Self-signed certs, but in PKI root cert sure.
There is nothing native in PS to add this. For a self-signed certificate, the Authority Key Identifier will either be absent or have the same value as the Subject Key Identifier.
Both the MS SSC tools selfcert / makecert leaves out the AKI, by design. Yet, since the AKI purpose as per …
https://www.alvestrand.no/objectid/2.5.29.35.html
…is used to identify “the public key to be used to verify the signature on this certificate”. That is: it should basically be the issuer’s public key. Authority Key Identifier which provides information to correctly bind CRL issuer certificate among candidates, CRL Number and Issuing Distribution Point extensions. Of course there is no CRL/DP for SSC.
Even the RFC says…
RFC3280 states in section 4.2.1.1 (emphasize mine):
https://tools.ietf.org/html/rfc3280#section-4.2.1.1
The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction.
There is one exception; where a CA distributes its public key in the form of a “self-signed” certificate, the authority key identifier MAY be omitted.
The signature on a self-signed certificate is generated with the private key associated with the certificate’s subject public key.
(This proves that the issuer possesses both the public and private keys.) In this case, the subject and authority key identifiers would be identical, but only the subject key identifier is needed for certification path building.
Are you saying you created your own local CA, and this is part of this use case?
What I want in fact is to have the possibility to generate a self certificate same way like selfcert.exe but without the interactive popup prompting for a name … so I will be able to automate the process … I noticed that when using cmdlet New-SelfSignedCertificate and comparing the output with the resulting output of selfcert.exe that in case of New-SelfSignedCertificate the Authority Key Identifier extension seems to be missing … Hence my question
You are going to get prompted with those tools, by design.
You have to do additional UI automation to deal with that dialog, i.e. SendKeys (which is just kind of hack’y, but does have it’s place or use other GUI tools, Selenium, UIAutomation, WASP, AutoIT, etc…) while trapping the handle to the dialog prompt.
Again, as for the AKI add, you cannot do that with any of those tools.
As I and kvprasoon is saying, you need to use opensssl to do that.
I have the links to all that in my first response.