Create X.509 Certificate with Private and Public Key

In this article, we will learn how to generate an X.509 certificate with a private and public key using PowerShell. The X.509 certificate is used for authentication for many scenarios, such as IoT devices or any other type of client-to-server or server-to-client authentication.

In this article we are considering the scenario of an IoT device being authenticated with the help of a generated X.509 certificate.

What is use of X.509 Certificate?

The X.509 certificate helps to identify the device on the IoT Hub using public and private keys stored within the certificate.

Step 1: Copy the PowerShell Script

Copy the following PowerShell script and save it on your PC storage location as GenerateTestCertificate. or whatever name you wish, just make sure you have saved the file with an extension . ps1.

# Copyright (c) Microsoft. All rights reserved.
# Licensed under the MIT license. See LICENSE file in the project root for full license information.

    $deviceName = "iothubx509device1",
    $certificateValidityInYears = 1

$cert = New-SelfSignedCertificate `
    -Type Custom `
    -Subject "CN=$deviceName, O=TEST, C=US" `
    -KeySpec Signature `
    -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 `
    -KeyLength 2048 `
    -TextExtension @("{text}") `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -NotAfter (Get-Date).AddYears($certificateValidityInYears)

Write-Host "Generated the certificate:"
Write-Host $cert

Write-Host "Enter the PFX password:"
$password = Read-Host -AsSecureString

$cert | Export-PfxCertificate -FilePath certificate.pfx -Password $password
Set-Content -Path certificate.cer -Value ([Convert]::ToBase64String($cert.RawData)) -Encoding Ascii

I have saved the file on my E drive in the Cert folder, which looks like as follows.

Step 2: Open the PowerShell ISE

Now open the PowerShell ISE command prompt in administrative mode as follows.

Make sure it's PowerShell ISE, not just a PowerShell command prompt.

Step 3: Change The Directory

Change the directory location where your generate test certificate PowerShell file is located. In this article, the file is located under the E Drive Cert folder.

In the preceding image, the path is set to the Cert folder using the CD command in which our PowerShell Script file is located.

Step 4: Load GenerateTestCertificate.ps1 File

As shown in the following image, load the GenerateTestCertificate.ps1 file and provide the parameter which is a CA (common name of the certificate), which internally can be used as a DeviceId of the IoT device. Make sure you are following the command syntax exactly as shown in the below image.

Once all the details are given as shown in the image, then press the enter key on your keyboard. It will prompt the following screen. Provide the password for the PFX certificate and remember the password that is required during the provisioning of the device on the IoT Hub.

Once you enter the password, press the enter or OK button as shown in the preceding image. Once the certificates are successfully generated, the following details are shown on the PowerShell command prompt.

There are two certificates created with the preceding procedure that are password-protected PKCS12 formatted file (certificate.pfx) and public key certificate file (certificate.cer).

The created certificates files are stored in the same location as your GenerateTestCertificate.ps1 file. Now navigate to the my E drive cert folder where you will see the created file.

As you see in the preceding image, the X.509 self signed certificates are created that are password-protected PKCS12 formatted file certificate.pfx and public key certificate file certificate.cer.

Both the certificates are required to authenticate the single device that is a public key certificate used to enrol the device on Azure device provisioning service and password protected . Pfx is required to identify the device and provision the device on the IoT Hub.


  • These certificates are only for testing purposes, don’t use for the production. 
  • Please buy the certificates from the respective device certificate authority for production requirement.


I hope from the preceding explanation you have learned how to create the X.509 test certificate. In my next article, we will learn how to enroll an X.509 device on the Azure Device provisioning service and provision the device on the Azure IoT Hub. If you are facing any issue while generating the certificates, then you can use the comment box to ask your queries.

If you are new to the IoT, then you can read my previous articles using the following links to learn more about the IoT.

Post a Comment

Protected by Copyscape
Copyright © Compilemode