Power CA — Lightweight PKI for Development and Testing

Power CA is a cross-platform PowerShell utility that helps you quickly create and manage a minimal Public Key Infrastructure (PKI) for development, testing, and internal use.

It is implemented as a single, self-contained PowerShell script, making it easy to use, portable, and simple to integrate into any development workflow.

It provides a simple and guided way to generate a Root Certificate Authority and issue certificates without the complexity of full enterprise PKI solutions.

Why Power CA ?

Setting up a local Certificate Authority for development often forces a trade-off: quick one-liners that ignore best practices, or full enterprise solutions that are too complex for everyday use.

Power CA bridges that gap.

It provides a practical, developer-friendly approach to PKI with the right balance of simplicity, control, and correctness:

• Consistency
  Built on standardized OpenSSL configuration templates, ensuring every certificate is generated with correct structure, extensions, and policies—without manual tweaking.

• Automation
  Handles the underlying complexity for you. SANs (Subject Alternative Names), Key Usage (KU), and Extended Key Usage (EKU) are automatically configured based on the certificate type.

• Portability
  Delivered as a single PowerShell script, running seamlessly across Windows, macOS, and Linux with PowerShell 7+.

• Clarity
  Outputs are cleanly organized into structured directories, making it easy to locate keys, CSRs, certificates, and full chains.

• Control without Complexity
  Fully customizable through OpenSSL templates, allowing advanced users to fine-tune behavior while keeping the default workflow simple.

Power CA is suitable for:

• Small internal certification authority (CA) use cases
• Local development environments
• Internal services and APIs
• TLS and mutual TLS (mTLS) testing
• Small lab or sandbox environments
• Learning and experimenting with PKI concepts

Features

• Create a Root Certificate Authority (CA)
• Issue TLS server certificates with DNS and IP SAN support
• Issue TLS client certificates
• Generate digital signature certificates
• Generate code signing certificates
• Generate certificate request files (CSRs) for submission to an enterprise production CA for signing, after successful validation in development and test environments
• Generate certificates in multiple formats (PEM, CER, DER) for maximum compatibility across different systems and use cases
• Export certificates in PFX format
• Interactive command-line interface
• Highly customizable through OpenSSL configuration templates
• Single-script design (no complex setup or multiple components required)

Requirements

• PowerShell 7 or later
• OpenSSL available in system PATH

Getting Started

Clone the repository and run the script:

git clone https://github.com/matteo-slaviero/power-ca.git
cd power-ca
pwsh ./pca-run.ps1

1. Initial Setup (Root CA)

On first run, if no Root CA is found, the tool will prompt:

Should we set up your Power CA right now? (y/N)

If you choose yes, you will be guided to:

• Provide a Common Name (CN) for your Root CA
• Generate:
  • Root private key (ca-key.pem)
  • Root certificate (ca-cert.pem, ca-cert.cer,ca-cert.der)
  • Optional PFX bundle (ca-cert.pfx)

All files are stored in:

./ca-root/

2. Main Menu

After setup, you will see:

1. Issue a TLS Server Certificate (For securing websites and API services)
2. Issue a TLS Client Certificate (For mutual authentication and user identity)
3. Issue a Digital Signature Certificate (For document integrity and non-repudiation)
4. Issue a Code Signing Certificate (For verifying the publisher of scripts and apps)
5. Exit

Select an option by entering the corresponding number.

3. Issue a TLS Server Certificate

You will be prompted to enter one or more identifiers:

Enter a DNS name or IP (press Enter when finished)

Examples:

• localhost
• api.local
• 127.0.0.1

The first entry becomes the Common Name (CN).

The tool will:

• Generate a private key
• Create a CSR (Certificate Signing Request)
• Sign the certificate using your Root CA
• Build a full certificate chain

Output folder:

./server-<common_name>/

Generated files:

• server-key.pem
• server-cert.pem, server-cert.der, server-cert.cer
• server-cert-fullchain.pem
• server.csr
• Optional server-cert.pfx

4. Issue Client / Signature / Code Signing Certificates

For these certificate types, you will be prompted for a Common Name.

The tool will:

• Generate a private key
• Create a CSR
• Sign it with the Root CA
• Build a full chain

Output folders:

• Client: ./client-<common_name>/
• Signature: ./signature-<common_name>/
• Code signing: ./codesign-<common_name>/

Generated files follow the same pattern:

• <type>-key.pem
• <type>-cert.pem, <type>-cert.der, <type>-cert.cer
• <type>-cert-fullchain.pem
• <type>.csr
• Optional <type>-cert.pfx

5. Export to PFX (Optional)

For each certificate, you can choose to export a .pfx bundle:

Would you like to export as a PFX file? (y/N)

If yes:

• You will be prompted for a password
• The certificate, private key, and CA chain are bundled into a .pfx file

6. Configuration and Customization

Certificate behavior is controlled via OpenSSL configuration templates located in:

./ca-root/request-config/

These templates allow you to customize:

• Key usage
• Extended key usage
• Certificate extensions
• Validity period
• Cryptographic algorithms
• Distinguished names

By modifying these templates, you can adapt Power CA to different scenarios without changing the script.

The configuration follows the standard OpenSSL format. For examples, see: https://docs.openssl.org/3.5/man1/openssl-req/#examples

Tested On

This setup has been verified with the following environment:

• Ubuntu 24.04.1 LTS
• PowerShell 7.6.1
• OpenSSL 3.0.13

Screenshots

New Power CA Setup

Power CA Main Menu

TLS/SSL Certificate Generation

Optional PFX Export

Generated Certificate (Example)

Request Template Customization