Recently I came across an interesting parameter of the New-SelfSignedCertificate PowerShell cmdlet — the -Signer parameter. This parameter allows you to provide a reference to an already-existing certificate that can be used to sign the newly-created certificate. This turns out to be an extremely useful little feature because sometimes you just need chained certificates to test stuff (so much so that I wrote a library that does this for me).

Not surprisingly, this cmdlet is much easier to use.

$ca = New-SelfSignedCertificate -DnsName "My Certificate Authority" -CertStoreLocation "cert:\LocalMachine\My"
New-SelfSignedCertificate -DnsName "child.domain.com" -CertStoreLocation "cert:\LocalMachine\My" -signer $ca

And voilà.

An authority-signed certificate

Signed Certificate