Skip to content
English
Sign in
Customer Portal
  • There are no suggestions because the search field is empty.

Creating a self-signed cert for use with the SPAS

There are cases such as demos or Proof of Concept/Testing where you may need to use a self-signed certificate with our SPAS system. Here is an example script that can be used to create a self-signed certificate.

We do not recommend using self-signed certificates for production use.  Be that as it may, there are times when one has to be used and here is an easy script you can use to create one.

Launch PowerShell as administrator and/or ISE as an admin.

If using ISE, put this into the script pane:

# Define certificate parameters
$dnsNames = @("mfa.yourco.com", "api.yourco.com", "saml2.yourco.com")
$certFriendlyName = "SPASxxx - Multi-SAN (mfa/api/saml2)"
$certStoreLocation = "Cert:\LocalMachine\My"

# Optional: define subject name explicitly (otherwise first DNS name becomes CN)
$subject = "CN=mfa.yourco.com"

try {
    # Generate the self-signed certificate with SANs
    $cert = New-SelfSignedCertificate `
        -DnsName $dnsNames `
        -Subject $subject `
        -CertStoreLocation $certStoreLocation `
        -FriendlyName $certFriendlyName `
        -NotAfter (Get-Date).AddYears(5) `
        -KeyLength 3072 `
        -KeyAlgorithm RSA `
        -HashAlgorithm SHA256 `
        -KeyExportPolicy Exportable `
        -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
        -Type SSLServerAuthentication `
        -ErrorAction Stop

    Write-Host "✅ Certificate created successfully." -ForegroundColor Green
    Write-Host "Thumbprint : $($cert.Thumbprint)"
    Write-Host "Subject    : $($cert.Subject)"
    Write-Host "Not After  : $($cert.NotAfter)"
    Write-Host "DNS Names  : $($cert.DnsNameList -join ', ')"
    Write-Host ""
    Write-Host "You can now bind this certificate in IIS, Azure AD, ADFS, SAML SP, etc."
    Write-Host "Remember to trust/export it where clients need to trust the issuer."
}
catch {
    Write-Host "Error creating certificate:" -ForegroundColor Red
    Write-Host $_.Exception.Message
}

Adjust the above  to match your requirements.  The DNS names section should include the 3 main SPAS sites (api,mfa, and saml2) depending on what DNS names you intend to use.

The "AddYears(1)" parameter can be adjusted up to reflect a longer expiry if that is allowed or desired in your environment, based on security posture, policy, etc.

You can copy the settings into a .ps1 file and execute it from the PowerShell command prompt.  You may need to allow remote signed scripts to be able to run it

Once the script is created and stored in the certificate store, you can then use IIS Manager to edit the bindings for the SPAS sites and change the certificate setting to this new, self-signed certificate.