There are cases such as demos or Proof of Concept/Testing where you may need to use a self-signed certificate with our SPAS system. Here is an example script that can be used to create a self-signed certificate.
We do not recommend using self-signed certificates for production use. Be that as it may, there are times when one has to be used and here is an easy script you can use to create one.
Launch powershell as administrator and/or ISE as an admin.
If using ISE, put this into the script pane:
#Begin Script
#Define certificate parameters
$dnsNames = @("mfa.yourco.com", "api.yourco.com", "saml2.yourco.com")
$certFriendlyName = "yourco.com Self-Signed"
$certStoreLocation = "Cert:\LocalMachine\My"
# Generate the self-signed certificate with SANs
$cert = New-SelfSignedCertificate `
-DnsName $dnsNames `
-CertStoreLocation $certStoreLocation `
-FriendlyName $certFriendlyName `
-NotAfter (Get-Date).AddYears(1) `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256
Write-Host "✅ Certificate created successfully."
Write-Host "Thumbprint: $($cert.Thumbprint)"
#End script
Adjust the above to match your requirements. The DNS names section should include the 3 main SPAS sites (api,mfa, and saml2) depending on what DNS names you intend to use.
The "AddYears(1)" parameter can be adjusted up to reflect a longer expiry if that is allowed or desired in your environment, based on security posture, policy, etc.
You can copy the settings into a .ps1 file and execute it from the PowerShell command prompt. You may need to allow remote signed scripts to be able to run it
Once the script is created and stored in the certificate store, you can then use IIS Manager to edit the bindings for the SPAS sites and change the certificate setting to this new, self-signed certificate.