New-SelfSignedCertificate to create certificate gives Access Denied
I'm trying to use New-SelfSignedCertificate in PowerShell to create a certificate on Windows 10, but the command gives me a permissions error. I'm using an Administrator account.
Command:
New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName MyCert -CertStoreLocation "Cert:\LocalMachine\My"
Output:
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)
At line:1 char:1
+ New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, ..."
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
wildabeast2 Answers
As mentioned in the comments, although PowerShell.exe is run under a user account with "Administrative Rights". The process cannot use those rights unless it is elevated.
PowerShell windows will add "Administrator:" in the title bar by default. Otherwise you can check if you an administrator by running this command:
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
When you launch PowerShell if done by GUI, you can Right-Click -> Run as Administrator.
Otherwise you can spawn a new process that is elevated by running Start-Process powershell.exe -Verb Runas
BenHCreate a certificate for your local user account by specifying a different certificate location:
New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" [...]
BoukeUser contributions licensed under CC BY-SA 3.0