Powershell introduced a new cmdlet New-SelfSignedCertificate, which can be used to create self-signed SSL certificates for testing and development purposes.

The PS command below creates a new self-signed SSL certificate

New-SelfSignedCertificate -DnsName "example.cloudapp.net" -CertStoreLocation "cert:\LocalMachine\My"


This self-signed SSL certificate can then be exported out as a .pfx file, using the PS command below

$pass = Convert-ToSecureString -String "password" -Force -AsPlainText
Export-PfxCertificate -Cert Cert:\LocalMachine\My\0DA8A50F8BEF89A1DE0BE59EBEADCF32813EBBFA -FilePath example.cloudapp.net.pfx -Password $pass


But self-signed SSL certificates generated using New-SelfSignedCertificate cannot be used for .NET projects. If used, the code will fail with a System.Security.Cryptography.CryptographicException exception.

You will get exceptions like the ones below

Inner Exception 1:
ArgumentException: It is likely that certificate 'CN=example.cloudapp.net' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.

Inner Exception 2:
CryptographicException: Invalid provider type specified.

with a call stack similar to

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.ServiceModel.Security.SecurityUtils.GetKeyContainerInfo(X509Certificate2 certificate)
at System.ServiceModel.Security.SecurityUtils.CanKeyDoKeyExchange(X509Certificate2 certificate)
at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)"

The reason for this is a bit complicated and discussed here. In simple terms New-SelfSignedCertificate creates and stores the certificate data in a certificate store (CNG Store) which .NET Security classes do not understand.

So instead of using New-SelfSignedCertificate for generating your self-signed SSL certificates, for .NET projects, use the makecert tool which is available from the Developer Command Prompt for VS

You can generate a new self-signed SSL certificate with the command below

makecert -r -pe -n "CN=example.cloudapp.net" -sky exchange -sv example.cloudapp.net.pvk example.cloudapp.net.cer


You can then export out this self-signed SSL certificate as a .pfx file using the pvk2pfx command.

pvk2pfx -pvk example.cloudapp.net.pvk -spc example.cloudapp.net.cer -pfx example.cloudapp.net.pfx