Scenario 2 setup fails on Linux (New-SelfSignedCertificate is Windows-only) #10
Description
Summary
EntraGoat-Scenario2-Setup.ps1 fails on Linux because it uses the New-SelfSignedCertificate cmdlet.
This cmdlet only exists on Windows PowerShell and is not available in PowerShell 7 on Linux.
There are six scenarios in total, and Scenario 2 is the only one affected by this issue.
Environment
- OS: Kali Linux (Debian-based)
- PowerShell: PowerShell 7.5.4
- Microsoft Graph PowerShell SDK: 2.32.0
- EntraGoat version: main branch (as of Nov 2025)
Steps to Reproduce
pwsh
cd EntraGoat/scenarios
./EntraGoat-Scenario2-Setup.ps1Error output
┌──(kali㉿kali)-[/home/kali/Tools/EntraGoat/scenarios]
└─PS> ./EntraGoat-Scenario2-Setup.ps1
|--------------------------------------------------------------|
| ENTRAGOAT SCENARIO 2 - SETUP INITIALIZATION |
| Graph Me the Crown (and Roles) |
|--------------------------------------------------------------|
New-SelfSignedCertificate: /home/kali/Tools/EntraGoat/scenarios/EntraGoat-Scenario2-Setup.ps1:332:9
Line |
332 | $cert = New-SelfSignedCertificate `
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| The term 'New-SelfSignedCertificate' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is
| correct and try again.
InvalidOperation: /home/kali/Tools/EntraGoat/scenarios/EntraGoat-Scenario2-Setup.ps1:342:1
Line |
342 | $pfxCertBytesForUserOutput = $cert.Export([System.Security.Cryptograp …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.
MethodInvocationException: /home/kali/Tools/EntraGoat/scenarios/EntraGoat-Scenario2-Setup.ps1:343:1
Line |
343 | $certBase64ForUserOutput = [System.Convert]::ToBase64String($pfxCertB …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Exception calling "ToBase64String" with "1" argument(s): "Value cannot be null. (Parameter 'inArray')"
InvalidOperation: /home/kali/Tools/EntraGoat/scenarios/EntraGoat-Scenario2-Setup.ps1:348:1
Line |
348 | $rawCertDataBytesForAppKey = $cert.GetRawCertData()
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.
[-] Failed to add certificate to application: [KeyCredentialsInvalidValue] : KeyValue cannot be null or empty
Scenario 1, 3, 4, 5, and 6 run fine on Linux using PowerShell 7.
Only Scenario 2 fails due to this Windows-only cmdlet.
Request
New-SelfSignedCertificate depends on Windows CryptoAPI and the Windows certificate store.
It does not work on Linux, so the script cannot continue.
Please consider:
- Adding a note that Scenario 2 must be run on Windows
or - Providing a cross-platform certificate generation method