Use Windows PowerShell to Prepare Certificates

About this task

To create a self-signed certificate using Windows PowerShell, refer to the following steps:

Note: The steps below are based on running the Windows PowerShell on a machine with the Windows 10 or Windows 11 operating system.

Procedure

Right-click Windows PowerShell on the machine, and select Run as administrator from the drop-down list.
Refer to the following example to use the New-SelfSignedCertificate cmdlet to generate certificate files.
```
$cert = New-SelfSignedCertificate -Subject CN=IBMCustomApp -CertStoreLocation 'Cert:\CurrentUser\My'
```
Press Enter on the keyboard.
Note: If you want to customize the parameters in the command, refer to the information below.
- Subject – This parameter specifies the subject of the certificate. It typically includes the Common Name (CN) which identifies the entity the certificate is issued to.
- CertStoreLocation – This parameter specifies the certificate store in which to store the new certificate. You can choose between user-specific or machine-wide stores. For example, -CertStoreLocation 'Cert:\CurrentUser\My' for the current user or -CertStoreLocation 'Cert:\LocalMachine\My' for the local machine.
- NotAfter – This parameter sets the expiration date of the certificate. The Get-Date cmdlet retrieves the current date and time, and AddMonths(24) adds 24 months to it, meaning the certificate will be valid for two years from the date of creation. If necessary, you can change the number of AddMonths.
Export the .crt (or .cer) file by entering the following command:
```
Export-Certificate -Cert $cert -FilePath IBMCustomApp.crt
```
Note the following:
- If you want to export a .cer file, replace the .crt with .cer in the cmdlet example above.
- In this command, the file will be saved to the current working directory of the PowerShell session. If you want to specify a different directory, provide the full path by referring to the cmdlet example below:
```
Export-Certificate -Cert $cert -FilePath "C:\Temp\IBMCustomApp.crt"
```
Export the .pfx file with a password by entering the following command
```
Export-PfxCertificate -Password $(Read-Host -AsSecureString -Prompt "Enter a password to protect the certificate") -Cert $cert -FilePath IBMCustomApp.pfx
```
Press Enter on the keyboard.
After completing the steps above, you will get two certificate files:
- The .cer file must be uploaded for the custom app in Microsoft Entra ID. For additional details on uploading the certificate, refer to Create a Custom Azure App.
- The .pfx file must be uploaded to IBM® Storage Protect for Cloud to consent to the app. For additional details, refer to Consent to Custom Apps or Re-authorize an App Profile.
If you want to remove the certificate files, enter the following command and press Enter on the keyboard:
```
Remove-Item "Cert:\CurrentUser\My\$($cert.Thumbprint)”
```