Development Certificates for Nodinite Testing

For development and test environments that need HTTPS without a production Certificate Authority (CA), PowerShell's New-SelfSignedCertificate can generate self-signed certificates and configure browser trust automatically.

Warning

Self-signed certificates are for development and testing only. Do not use in production. Browsers show security warnings unless the certificate is manually trusted on each client machine.

Generate Self-Signed Certificate (PowerShell)

Simple Example (Minimal Configuration)

# Localhost certificate (minimal configuration)
New-SelfSignedCertificate `
    -DnsName "localhost" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -NotAfter (Get-Date).AddYears(2)

Production-Quality Development Certificate (Recommended)

# Configure your DNS name(s)
$dnsNames = @("nodinite.dev.local", "nodinite")

# Create certificate with security best practices
$cert = New-SelfSignedCertificate `
    -DnsName $dnsNames `
    -Subject "CN=$($dnsNames[0])" `
    -FriendlyName "Nodinite Dev SSL ($($dnsNames[0]))" `
    -KeyAlgorithm RSA -KeyLength 2048 `
    -HashAlgorithm SHA256 `
    -KeyExportPolicy Exportable `
    -NotAfter (Get-Date).AddYears(2) `
    -CertStoreLocation "Cert:\LocalMachine\My"

# Display certificate details
$cert|Format-List Subject, DnsNameList, Thumbprint, NotAfter

# Export certificate for backup and trust
New-Item -ItemType Directory -Force -Path C:\certs|Out-Null
$pfxPassword = Read-Host -AsSecureString -Prompt "Enter PFX password (for backup)"
Export-PfxCertificate -Cert $cert -FilePath "C:\certs\$($dnsNames[0]).pfx" -Password $pfxPassword|Out-Null
Export-Certificate -Cert $cert -FilePath "C:\certs\$($dnsNames[0]).cer"|Out-Null
Import-Certificate -FilePath "C:\certs\$($dnsNames[0]).cer" -CertStoreLocation Cert:\LocalMachine\Root|Out-Null

Write-Host "Certificate created successfully!" -ForegroundColor Green
Write-Host "Thumbprint: $($cert.Thumbprint)" -ForegroundColor Cyan
Write-Host "Files created in C:\certs\" -ForegroundColor Yellow

What This Script Does

1. Creates certificate with SHA-256 (secure), 2048-bit RSA key
2. Sets Subject Alternative Names (SANs) — Certificate valid for all specified DNS names
3. Exports to .pfx format — Includes private key, password-protected (for backup/migration)
4. Exports to .cer format — Public certificate only (for distribution to clients)
5. Automatically trusts certificate — Imports .cer to Trusted Root Certification Authorities
6. Displays thumbprint — Copy this for IIS binding and Nodinite Portal configuration

Certificate Storage Locations

1. Personal Store (cert:\LocalMachine\My) — Used by IIS for HTTPS binding (requires private key)
2. Trusted Root Certification Authorities (cert:\LocalMachine\Root) — Same certificate copied here so browsers trust it

Important

The recommended PowerShell script above automatically handles both locations. If you used the minimal example, follow the manual trust steps below.

Tip

Nodinite v7: After generating the certificate, copy the thumbprint into the Nodinite Portal under Environment → TLS and re-run the installation script so IIS uses the new certificate.

Trust Self-Signed Certificate (Manual Method)

If you used the minimal certificate example (not the recommended script), manually copy the certificate to Trusted Root:

Option 1: Using PowerShell

# Get the certificate thumbprint (from script output or find it)
$certificateThumbprint = "YOUR_CERTIFICATE_THUMBPRINT_HERE"

# Get certificate from Personal store
$certificate = Get-ChildItem -Path "Cert:\LocalMachine\My\$certificateThumbprint"

# Export to file
Export-Certificate -Cert $certificate -FilePath "C:\Temp\nodinite-dev.cer"

# Import to Trusted Root Certification Authorities
Import-Certificate -FilePath "C:\Temp\nodinite-dev.cer" `
    -CertStoreLocation "Cert:\LocalMachine\Root"

Option 2: Using Certificate Manager (GUI)

1. Press Win+R, type certlm.msc, press Enter
2. Navigate to Personal → Certificates
3. Find your certificate (e.g., CN=nodinite.dev.local)
4. Right-click → Copy
5. Navigate to Trusted Root Certification Authorities → Certificates
6. Right-click in the right pane → Paste

Tip

Why copy to Trusted Root? Self-signed certificates act as their own Certificate Authority. Browsers check the Trusted Root store to determine if they should trust a certificate. Without this step, browsers show "Your connection is not private" warnings.

Certificate Backup

The .pfx file contains your private key (password-protected). Store it securely — you will need it if you:

• Rebuild your server
• Move the certificate to another machine
• Recover from a disaster

---

Next Steps

• How to perform hardening — Configure HTTPS/TLS on Nodinite v7

Related Topics

• How to perform hardening v6 — Legacy HTTPS configuration for Nodinite v6
• TLS Troubleshooting — CRL/OCSP slowness and 401 loopback errors
• Secret Management

---