DCSIMG
Creating X.509 Certificates using makecert.exe - Manu Cohen-Yashar's Blog

Manu Cohen-Yashar's Blog

Creating X.509 Certificates using makecert.exe

 

Creating x.509  certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe

After downloading the tool you have to perform the following procedure:

Creating a Root Certificate Authority

makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer

Import Root Certificate Authority Certificate into Trusted Root Store

certutil.exe -f -addstore Root My_Root_CA.cer

Create Backup (Export) PFX file of Root Certificate Authority Certificate

certutil.exe -privatekey -exportpfx "My Root CA" My_Root_CA.pfx

Create a Server Certificate issued from the previously created Certificate Authority

makecert.exe -n "CN=Server" -pe -ss my -sr LocalMachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 Server.cer

Create Backup (Export) PFX file of Server Certificate

certutil.exe -privatekey -exportpfx "Server" Server.pfx

Create a Computer certificate issued from the previously created Certificate Authority

makecert.exe -n "CN=Computer" -pe -ss my -sr Localmachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.2 Computer.cer

Create Backup (Export) PFX file of Computer Certificate

certutil.exe -privatekey -exportpfx "Computer" Computer.pfx

OID Reference

Encrypting File System (1.3.6.1.4.1.311.10.3.4)

Secure Email (1.3.6.1.5.5.7.3.4)

Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

Client Authentication (1.3.6.1.5.5.7.3.2)

Server Authentication (1.3.6.1.5.5.7.3.1)

IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

 

manu
Posted: Apr 08 2008, 07:39 PM by Manu Cohen-Yashar | with 9 comment(s)
תגים:,

Comments

Leo said:

Awesome. Thanks a lot!

# June 6, 2008 7:44 AM

fs said:

Thanks, saved me lots of time.

# January 27, 2009 4:46 PM

D said:

Simply fantastic!. Thank you.

# April 2, 2009 6:21 PM

Gopi said:

Thank you soo much.

# May 11, 2009 10:50 AM

Parag Patel said:

Great page,

If i see digital signature's property of .exe after sing it using certificate it shows email filed "Note available". How can i fill this email filed?

# September 5, 2009 12:24 PM

Daniel Sage said:

I know it is a little old of a post but, I get the following error.

Error: Can not specify issuer's private key information for self signed certificate.  Please use -sp and -sy instead.

I am using the following command :

makecert -r -pe -n "CN=*.danielsage.org,O=Daniel Sage,OU=Web Safety,L=Lombard,S=IL,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -in "Daniel Sage Private Certification Services" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 "D:\DSCert.cer"

With the ca command being :

makecert -n "CN=Daniel Sage Private Certification Services,O=Daniel Sage,OU=Web Safety,L=Lombard,S=IL,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r "D:\DSRoot.cer"

Please help and thanks for the great page.

# February 25, 2010 12:42 AM

Daniel Sage said:

Nevermind, I was able to get it to work.

Thanks again for the great page. Really helps.

# February 26, 2010 5:20 AM

Agha Usman said:

Did the job for me .. excellent job

# July 1, 2010 11:35 AM

Deepak said:

This was an awesome step by step instruction.... Could you please help in finding a third party vendor like Verisign who issue this sort of certificates.

I am trying to use this for WCF, The certificate which I create is perfectly working. But www.verisign.com/.../digital-id certificate is not working.

Thanks

Deepak

# June 14, 2011 10:08 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: