Creating self-signed certificate using makecert.exe
Iβve had to create self-signed certificates on quite a few occasions over the years.
There are multiple scenarios when one might want to create these self-signed certificates. Two of the most popular tools used for certificate generation areβ¦
- openssl (on windows and linux)
- makecert (on windows)
We’ll cover the usage of makecert.exe in this post.
Where to get makecert.exe
-
Windows SDK
IF you have Windows SDK installed, based on the version that you have installed you can findmakecert.exeat one of the following locationsβ¦Version Location 7 C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\bin 8 C:\Program Files (x86)\Windows Kits\8.0\bin 8.1 C:\Program Files (x86)\Windows Kits\8.1\bin 10 C:\Program Files (x86)\Windows Kits\10.0\bin -
Visual Studio (if Visual Studio IDE is installed)
In case you are already using Visual studio you will find makecert.exe at one of the following locationsβ¦Version Location 2015 C:\Program Files (x86)\Windows Kits\10.0\bin 2013 C:\Program Files (x86)\Windows Kits\8.1\bin 2010 C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin| 2008 C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin|
Usually certificates are generated for enabling HTTPS on the web server. The other reason is for client authentication.
Weβll cover both these cases
1. server certificates
2. client certificates
Weβll also create Root CA certificates for signing both these certificates.
Say, suppose I have a company named FunSoft which is working on a new cloud service offering called FunSoft Cloud Service.
Root CA certificate:
makecert.exe -r -n "CN=FunSoft Root Authority,O=FunSoft,OU=Development,L=Pune,S=MH,C=IN" -pe -ss Root -sr LocalMachine -sky signature -m 120 -a sha256 -len 2048
| Switch | Usage |
|---|---|
| r | Mark the certificate as self-signed. |
| n | Certificate subject name; starts with βCN=β. An example value is βCN=Test Certificateβ. |
| pe | Switch to mark the generated private key as exportable. |
| ss | Certificate store name. Most common options are [AuthRoot/CA/My/Root] |
| sr | Certificate store location. Valid options are [CurrentUser/LocalMachine]. Default to βCurrentUserβ |
| sky | Subject key type. Valid options are [signature/exchange/[integer]]. |
| m | Number of months for the certificate validity period. |
| a | Signature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to βsha1β. |
| len | Generated Key Length (Bits). An example value is 2048. |
Note:
| Abbreviation | Full form | Example |
|---|---|---|
| C | Country | IN -> India |
| S | State | MH-> Maharashtra |
| L | Locality | Pune |
| O | Organization | FunSoft |
| OU | OrganizationalUnit | Development |
| CN | Common Name | FunSoft Root Authority |
You will also find this in the certificates snap-in at
Certificates(Local Computer) => Trusted Root Certification Authorities => Certificates
Server certificate signed with Root CA
We will now create a server certificate signed with the Root CA certificate created aboveβ¦
makecert -pe -n "CN=*.funsoft.com" -a sha256 -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -in "FunSoft Root Authority" -is Root -ir LocalMachine -ss My -sr LocalMachine -m 13 funSoftServerCert.cer
| Switch | Usage |
|---|---|
| pe | Switch to mark the generated private key as exportable. |
| n | Certificate subject name; starts with βCN=β. An example value is βCN=Test Certificateβ. |
| a | Signature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to βsha1β. |
| len | Generated Key Length (Bits). An example value is 2048. |
| sky | Subject key type. Valid options are [signature/exchange/[integer]]. |
| eku | Comma separated Enhanced Key Usage based on Microsoftβs Object IDs (OIDs) |
| sp | Subjectβs CryptoAPI providerβs name |
| sy | Subjectβs CryptoAPI providerβs type |
| in | Issuers certificate common name |
| is | Issuers certificate store name |
| ir | Issuers certificate store location |
| ss | Certificate store name. Most common options are [AuthRoot/CA/My/Root] |
| sr | Certificate store location. Valid options are [CurrentUser/LocalMachine]. Default to βCurrentUserβ |
| m | Number of months for the certificate validity period. |
Note:
| EKU | OID | Use |
|---|---|---|
| serverAuth | 1.3.6.1.5.5.7.3.1 | SSL/TLS Web Server Authentication |
| clientAuth | 1.3.6.1.5.5.7.3.2 | SSL/TLS Web Client Authentication |
| codeSigning | 1.3.6.1.5.5.7.3.3 | Code signing |
| emailProtection | 1.3.6.1.5.5.7.3.4 | E-mail Protection (S/MIME) |
Client certificate signed with Root CA
We can also create a client certificate for client authentication as followsβ¦
makecert -pe -n "CN=SUN" -a sha256 -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -in "FunSoft Root Authority" -is Root -ir LocalMachine -ss My -sr LocalMachine -m 13 funSoftClientCert.cer
Observe that the only value we have changed here is eku and CN.
Now, one thing to note here is that you could issue client certificates with CN value scoped at
- per machine or
The CN value can be the machine name (you could also have the machine FQDN if your machine is part of a domain). - per user
In this case you could have the user name in CN and set the -sr switch to CurrentUser.
MakeCert – Win32 apps | Microsoft Learn
MakeCert
In this article
The MakeCert tool creates an X.509 certificate, signed by the test root key or other specified key, that binds your name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
You can download the Windows SDK from the Windows Dev Center.
The MakeCert tool uses the following command syntax:
MakeCert [BasicOptions|ExtendedOptions] OutputFile
OutputFile is the name of the file where the certificate will be written. You can omit OutputFile if the certificate is not to be written to a file.
Options
MakeCert includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.
The options for MakeCert are also divided into three functional groups:
- Basic options specific to certificate store technology only.
- Extended options specific to SPC-file and private key technology only.
- Extended options applicable to SPC-file, private key, and certificate store technology.
Options given in the following tables can be used only with Internet Explorer 4.0 or later.
| Basic option | Description |
|---|---|
| -aAlgorithm | Hash algorithm. Must be set to either SHA-1 or MD5 (default). For information about MD5, see MD5. |
| -bDateStart | Date the certificate first becomes valid. The default is when the certificate is created. The format of DateStart is mm/dd/yyyy. |
| -cyCertificateTypes | Certificate type. CertificateTypes can be end for end-entity, or authority for certification authority. |
| -eDateEnd | Date when the validity period ends. The default is the year 2039. |
| -ekuOID1,OID2 β¦ | Inserts a list of one or more comma-separated, enhanced key usageobject identifiers (OIDs) into the certificate. For example, -eku 1.3.6.1.5.5.7.3.2 inserts the client authentication OID. For definitions of allowable OIDs, see the Wincrypt.h file in CryptoAPI 2.0. |
| -hNumChildren | Maximum height of the tree below this certificate. |
| -lPolicyLink | Link to SPC agency policy information (for example, a URL). |
| -mnMonths | Duration of the validity period. |
| -n"Name" | Name for the publisher's certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format. For example: -n "CN=Test". |
| -nscp | The Netscape client authentication extension should be included. |
| -pe | Marks the private key as exportable. |
| -r | Creates a self-signed certificate. |
| -scSubjectCertFile | Certificate file name with the existing subject public key to be used. |
| -skSubjectKey | Location of the subject's key container which holds the private key. If a key container does not exist, one is created. If neither the -sk or -sv option is used, a default key container is created and used by default. |
| -skySubjectKeySpec | Subject's key specification. SubjectKeySpec must be one of three possible values: – Signature (AT_SIGNATURE key specification) – Exchange (AT_KEYEXCHANGE key specification) – An integer, such as 3 For more information, see the Note that follows this table. |
| -spSubjectProviderName | CryptoAPI provider for subject. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation. |
| -srSubjectCertStoreLocation | Registry location of the subject's certificate store. SubjectCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser (registry key HKEY_CURRENT_USER). CurrentUser is the default. |
| -ssSubjectCertStoreName | Name of the subject's certificate store where the generated certificate will be stored. |
| -svSubjectKeyFile | Name of the subject's .pvk file. If neither the -sk or -sv option is used, a default key container is created and used by default. |
| -synSubjectProviderType | CryptoAPI provider type for subject. The default is PROV_RSA_FULL. For information about CryptoAPI provider types, see the CryptoAPI 2.0 documentation. |
| -#SerialNumber | Serial number of the certificate. The maximum value is 2^31. The default is a value generated by the tool that is guaranteed to be unique. |
| -$CertificateAuthority | Type of certification authority. CertificateAuthority must be set to either commercial (for certificates to be used by commercial software publishers) or individual (for certificates to be used by individual software publishers). |
| -? | Displays the basic options. |
| -! | Displays the extended options. |
Note
If the -sky key specification option is used in Internet Explorer version 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Because most users have either an AT_SIGNATURE key or an AT_KEYEXCHANGE key, this option does not need to be used in most cases.
The following options are only for Software Publisher Certificate (SPC) files and private key technology.
| SPC and private key option | Description |
|---|---|
| -icIssuerCertFile | Location of the issuer's certificate. |
| -ikIssuerKey | Location of the issuer's key container. The default is the test root key. |
| -ikyIssuerKeySpec | Issuer's key specification, which must be one of three possible values: – Signature (AT_SIGNATURE key specification) – Exchange (AT_KEYEXCHANGE key specification) – An integer, such as 3 For more information, see the Note that follows this table. |
| -ipIssuerProviderName | CryptoAPI provider for issuer. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation. |
| -ivIssuerKeyFile | Issuer's private key file. The default is the test root. |
| -iynIssuerProviderType | CryptoAPI provider type for issuer. The default is PROV_RSA_FULL. For information about CryptoAPI provider types, see the CryptoAPI 2.0 documentation. |
Note
If the -iky key specification option is used in Internet Explorer 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Because most users have either an AT_SIGNATURE key or an AT_KEYEXCHANGE key, this option does not need to be used in most cases.
The following options are for certificate store technology only.
| Certificate store option | Description |
|---|---|
| -ic IssuerCertFile | File that contains the issuer's certificate. MakeCert will search in the certificate store for a certificate with an exact match. |
| -in IssuerNameString | Common name of the issuer's certificate. MakeCert will search in the certificate store for a certificate whose common name includes IssuerNameString. |
| -ir IssuerCertStoreLocation | Registry location of the issuer's certificate store. IssuerCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser (registry key HKEY_CURRENT_USER). CurrentUser is the default. |
| -is IssuerCertStoreName | Issuer's certificate store that includes the issuer's certificate and its associated private key information. If there is more than one certificate in the store, the user must uniquely identify it by using the -ic or -in option. If the certificate in the certificate store is not uniquely identified, MakeCert will fail. |
Using MakeCert – Win32 apps
Using MakeCert
In this article
The following examples use MakeCert commands to create test certificates using options available with Internet Explorer version 4.0 or later.
-
Make a certificate issued by the default test root. Save the certificate to a file.
MakeCert MyNew.cer
-
Make a certificate issued by the default test root. Save it to a certificate store.
MakeCert -ss MyNewStore
-
Make a certificate issued by the default test root. Create a key container and save the certificate to both a store and a file.
MakeCert -sk MyNewKey -ss MyNewStore MyNew.cer
-
Make a certificate issued by the default test root. Create a private key file and save the certificate to both a store and a file.
MakeCert -sv MyKeyFile -ss MyNewStore MyNew.cer
-
Make a certificate issued by the default test root. Create a key container, save the certificate to both a store and a file, and make the private key exportable.
MakeCert -sk MyNewKey -ss MyNewStore MyNew.cer -pe
-
Make a certificate by using the default test root. Save the certificate to a store. Then make another certificate issued by the newly created certificate. Save the second certificate to another store.
MakeCert -sk MyNewKey -ss MyNewStore MakeCert -is MyNewStore -ss AnotherStore
-
Make a certificate by using the default test root. Save the certificate to the MY store. Then make another certificate by using the newly created certificate. If there is more than one certificate in the MY store, the certificate must be identified by using its common name.
MakeCert -sk MyNewKey -n "CN=XXZZYY" -ss my MakeCert -is my -in "XXZZYY" -ss AnotherStore
-
Make a certificate by using the default test root. Save the certificate to the MY store and to a file. Then make another certificate by using the newly created MyNew certificate. If there is more than one certificate in the MY store, uniquely identify the first certificate by using the certificate file name.
MakeCert -sk MyNewKey -n "CN=XXZZYY" -ss my MyNew.cer MakeCert -is my -ic MyNew.cer -ss AnotherStore
