From 7379824645ebb5faa8ece0ef0c9e02606d113288 Mon Sep 17 00:00:00 2001
From: roger-cruz <45692830+roger-cruz@users.noreply.github.com>
Date: Sun, 3 Feb 2019 19:26:32 -0500
Subject: [PATCH 1/2] Add -KeyUsage that includes CertSign and change OIDs to
 use Extended Key Usage rather than Application Policy

The PoSH command used here to generate a self-signed certificate, which is then promoted to a trust root CA did not work for me.
$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")
Certificates signed with the above certificate will show a warning "The certificate is not valid for the selected purpose". If you try to use these certificates, you will get invalid certificate errors from clients.
The way I was able to fix this is to provide a -KeyUsage that includes "Certificate Signing" and change the OIDs to use the extended key usage rather than application policies. Once this was done for the root CA certificate, new certificates worked like a charm.
I suggest the command be changed to be like below.
$rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -KeyUsage CertSign,DigitalSignature,KeyEncipherment
---
 ...-create-temporary-certificates-for-use-during-development.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md b/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md
index 6855550843676..4497b4e974949 100644
--- a/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md
+++ b/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md
@@ -22,7 +22,7 @@ When developing a secure service or client using Windows Communication Foundatio
 The following command creates a self-signed certificate with a subject name of "RootCA" in the Current User Personal store.
 
 ```powershell
-PS $rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")
+PS $rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -KeyUsage CertSign,DigitalSignature,KeyEncipherment
 ```
 
 We need to export the certificate to a PFX file so that it can be imported to where it's needed in a later step. When exporting a certificate with the private key, a password is needed to protect it. We save the password in a `SecureString` and use the [Export-PfxCertificate](/powershell/module/pkiclient/export-pfxcertificate) cmdlet to export the certificate with the associated private key to a PFX file. We also save just the public certificate into a CRT file using the [Export-Certificate](/powershell/module/pkiclient/export-certificate) cmdlet.

From 46074f35122771afc4797eb7cde76b5d2c2aeaf8 Mon Sep 17 00:00:00 2001
From: Maira Wenzel <mairaw@microsoft.com>
Date: Mon, 16 Sep 2019 14:23:03 -0700
Subject: [PATCH 2/2] feedback

---
 ...-create-temporary-certificates-for-use-during-development.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md b/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md
index 4497b4e974949..0b2deef3425f9 100644
--- a/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md
+++ b/docs/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development.md
@@ -22,7 +22,7 @@ When developing a secure service or client using Windows Communication Foundatio
 The following command creates a self-signed certificate with a subject name of "RootCA" in the Current User Personal store.
 
 ```powershell
-PS $rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -KeyUsage CertSign,DigitalSignature,KeyEncipherment
+PS $rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.19={text}CA=true") -KeyUsage CertSign,CrlSign,DigitalSignature
 ```
 
 We need to export the certificate to a PFX file so that it can be imported to where it's needed in a later step. When exporting a certificate with the private key, a password is needed to protect it. We save the password in a `SecureString` and use the [Export-PfxCertificate](/powershell/module/pkiclient/export-pfxcertificate) cmdlet to export the certificate with the associated private key to a PFX file. We also save just the public certificate into a CRT file using the [Export-Certificate](/powershell/module/pkiclient/export-certificate) cmdlet.