creating self-signed certificates with makecert.exe for development

7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development

1/28

Creating Self-Signed Certicates With MakeCert.Exe forDevelopment

If youve ever had the need of creating self signed certicates you may start out feeling like its not a

straightforward stroll in the park, so here is a blog post that might help you to get started. I will be going

through the basics of creating self signed X.50 certicates !"oot, server # client$ using makecert.e%e.

&or the complete makecert.e%e parameter referenceclick here.

Im using a '( with )indows *.+ 'ro and isual -tudio 'remium 0+/.

Certicate Authorit !CA"

ormally most companies would 1ust buy their certicates from a trusted third party certicate authority

such as 2o3addy or erisign, but for development and testing, this might not be the rst thing one wants

to do. Instead you can create your own self signed certicates, starting with a root (4 that can be used to

sign other certicates.(For example ssl certifcates or servers and clients). )hen you do this, the

certicates are not trusted by default. ou must therefore add the root (4 to your machines 6rusted "oot(ertication 4uthorities -tore through the 7icrosoft 7anagement (onsole.

#$%E&ou can add these two parameters8 9sr :ocal7achine ;and 9ss "oot ;to the upcoming command

batch le, if you want to install the certicate directly into the :ocal7achines 6rusted "oot (ertication

4uthorities. 'E S()Eto run the 3eveloper (ommand 'rompt as administrator or it will fail. )e will

however go through how to do this manually so you get a more basic understanding.

6he ;symbol I add to the following cmd batch les means pen an empty notepad document and copy and paste the following into notepad8

makecert.e%e ;

9n ?(@(4"oot? ;

9r ;

9pe ;

9a sha5+ ;

9len A0B ;

9cy authority ;

9sv (4"oot.pvk ;

(4"oot.cer

pvkpf%.e%e ;
http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspxhttp://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspxhttp://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspxhttp://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/


2/28

9pvk (4"oot.pvk ;

9spc (4"oot.cer ;

9pf% (4"oot.pf% ;

9po 6est+/

6his may or may not look a bit frightening or incomprehensive at rst, but let me walk you through what

is going on here8 &irst we create a certicate with makecert.e%e, then we use pvkpf%.e%e to copy the

public key and private key information from the .pvk and .cer into a .pf% !personal information e%change$

le.

#$%E&ever share your root .pvk or .pf% les if you want to stay secureC

6he .pvk le contains your private key for your .cer certicate and the .pf% le contains both the

certicate .cer and the private key .pvk, which means that others can sign new certicates with your

certicate without your consent. 6he only le you can share is the .cer le, which only contains the public

key.

6he makecert.e%e parameters8

9n @7y>rganiFation,>G@3ev,(@3enmark= and so on. "eference8

( @ commoname !for e%ample,


3/28

#$%E&ever share your root .pvk or .pf% les if you want to stay secureC

6he .pvk le contains your private key for your .cer certicate and the .pf% le contains both the

certicate .cer and the private key .pvk, which means that others can sign new certicates with your

certicate without your consent. 6he only le you can share is the .cer le, which only contains the public

key.

6he makecert.e%e parameters8

9n @7y>rganiFation,>G@3ev,(@3enmark= and so on. "eference8



4/28

>pen a isual -tudio 3eveloper (ommand 'rompt this is where makecert.e%e lives, and navigate to the

folder that contains the batch le and run the cmd le.

It should now prompt you to enter some passwords. ("his is where we create and use the .pvk privatekey# so these need to match or success).


5/28

ou should now have / new les8 (4"oot.cer, (4"oot.pf% and (4"oot.pvk in the folder where your batch

les are.

Making *t %rusted

("his is a manual walk through i you didn$t include the %sr and %ss parameters)>pen your new (4"oot.cer

le by double clicking it and see that it is not trusted.


6/28

6o make it trusted on your machine open up the 7icrosoft 7anagement (onsole.(Find it by searching or

mmc in start)


7/28

2o to &ile D4ddJ"emove -nap9in. 3ouble9click (erticates in the list to the left.


8/28

(hoose (omputer account and 1ust go ne%t, nish and >K.

>pen the 6rusted "oot (ertication 4uthorities D(erticates

Eere you can see all of the currently trusted certicates that )indows trusts. (&lot o them ship with

Windows out o the box).

ow right9click the (erticates folder D4ll tasks DImportL

6he certicate Import )iFard will pop up.

2o ne%t DMrowse to nd the (4"oot.cer le we created earlier.


9/28

Keep going ne%t until nish where a message bo% should appear saying pen the (4"oot !double9click$ and see that it is now trusted by your computer.


10/28

Server Certicates

e%t up we need a certicate to handle --: on the server. )e will create this with a new command batch

le in notepad 1ust like before, this time with these parameters8

makecert.e%e ;

9n ?(@yourdomain.com? ;

9iv (4"oot.pvk ;

9ic (4"oot.cer ;

9pe ;

9a sha5+ ;

9len A0B ;

9b 0+J0+J0+A ;

9e 0+J0+J0+B ;

9sky e%change ;


11/28

9eku +./.B.+.5.5.N./.+ ;

9sv O+.pvk ;

O+.cer

pvkpf%.e%e ;

9pvk O+.pvk ;

9spc O+.cer ;

9pf% O+.pf% ;

9po 6est+/

#$%E&6he ( must match your domain otherwise the browsers wont trust your --: certicate and warn

the end user not to proceed to your website. ou will recogniFe most of the parameters, but let me e%plainthe new ones8

9n


12/28

"un it in your 3eveloper (ommand 'rompt the same way as before, only this time type in a name for your

certicate after the command. 7ine will be8 (reate-sl-erver(ert.cmd -erver--:.

4gain it will ask you to create your private key password, use it to verify, also give the issuers

password (which is the one you chose when creating your root &) and lastly the private key passwordyou choose in the rst window.


13/28
http://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpghttp://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpghttp://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpg


14/28

Laaand voila you now have the -erver--: certicate les.

If you didnt include the 9sr and 9ss parameters, import the 'ersonal Information P%change !pf%$ certicate

into your 'ersonal (erticates in the 7icrosoft 7anagement (onsole8

>pen the 'ersonal folder Dright9click (erticates DImportL

4gain the (erticate Import )iFard pops up D2o e%t
http://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpg


15/28

6his time you will Mrowse for the -erver--:.pf% le

2o ne%t D6ype in the password for your pf% le("he %po parameter rom the batch fle)D(ontinue going

ne%t until nish and the message bo% with =6he import was successful= appears.

ou should now see you newly imported certicate in your D'ersonal (erticates folder.

It is trusted automatically because your (4"oot that signed it is trusted and has a private key

corresponding to this certicate.


16/28
http://www.jayway.com/wp-content/uploads/2014/09/20-TrustedServerCertPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/20-TrustedServerCertPath.jpg


17/28

ou can now congure your server to use this certicate.

Client Certicates

:ast but not least we will create the client certicate which can be used for client certicate

authentication. )e will again create a command batch le, now with the following parameters8

makecert.e%e ;

9n ?(@O+? ;

9iv (4"oot.pvk ;

9ic (4"oot.cer ;

9pe ;

9a sha5+ ;

9len A0B ;

9b 0+J0+J0+A ;

9e 0+J0+J0+B ;

9sky e%change ;

9eku +./.B.+.5.5.N./. ;


18/28

9sv O+.pvk ;

O+.cer

pvkpf%.e%e ;

9pvk O+.pvk ;

9spc O+.cer ;

9pf% O+.pf% ;

9po 6est+/

ou may notice that this is almost identical to the server certicate parameters, all e%cept8

G@3ev,(@3enmark= and so on. "eference8



19/28

P%ecute the command batch le in the 3eveloper (ommand 'rompt, again with a name after the cmd.

!7ine will be8 (reate-sl(lient(ert.cmd (lient(ert$.

Pnter the passwords in the same pattern as the server certicate and you now have your client certicate.


20/28

ou can now add it to your (urrent Gser 'ersonal (erticate store8

In the 7icrosoft 7anagement (onsole, click &ile D4ddJ"emove -nap9in.


21/28

3ouble9click (erticates again, but this time choose 7y user account

>pen the 'ersonal folder D"ight9click (erticates DImportL


22/28

Mrowse for your (lient(ert.pf% le

2o ne%t D6ype in the password to your pf% le !9po parameter from the batch le$ D(ontinue going ne%t

until nish and =6he import was successful= message bo% appears.

ou should now see you newly imported certicate in your 'ersonal D(erticates folder


23/28

4gain the certicate is trusted because the (4"oot is trusted by )indows.
http://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpg


24/28

ou can now congure your client to use this certicate.

I hope the whole self signed certicate creation together with the makecert.e%e generation tool feels more

understandable and that you can use this knowledge for your development process. &or a walk9through

on setting up II- to use your self9signed certicates check out my ne%t blog

post8 http8JJwww.1ayway.comJ0+AJ+0JNJcongure9iis9to9use9your9self9signed9certicates9with9your9

applicationJ

(heck out my blog post for getting self signed certicates to work with a )indows 4Fure cloud

service8 http8JJwww.1ayway.comJ0+5J0AJ+Jcongure9a9windows9aFure9cloud9service9to9use9your9self9

signed9certicates9for9iis9client9certicate9mapping9authenticationJ

Pnter the passwords in the same pattern as the server certicate and you now have your client certicate.

ou can now add it to your (urrent Gser 'ersonal (erticate store8

In the 7icrosoft 7anagement (onsole, click &ile D4ddJ"emove -nap9in
http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/


25/28

3ouble9click (erticates again, but this time choose 7y user account.

>pen the 'ersonal folder D"ight9click (erticates DImportL


26/28

Mrowse for your (lient(ert.pf% le.

2o ne%t D6ype in the password to your pf% le !9po parameter from the batch le$ D(ontinue going ne%t

until nish and =6he import was successful= message bo% appears.

ou should now see you newly imported certicate in your 'ersonal D(erticates folder.

4gain the certicate is trusted because the (4"oot is trusted by )indows.


27/28
http://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpg


28/28

ou can now congure your client to use this certicate.

I hope the whole self signed certicate creation together with the makecert.e%e generation tool feels more

understandable and that you can use this knowledge for your development process. &or a walk9through

on setting up II- to use your self9signed certicates check out my ne%t blog

post8 http8JJwww.1ayway.comJ0+AJ+0JNJcongure9iis9to9use9your9self9signed9certicates9with9your9

applicationJ

(heck out my blog post for getting self signed certicates to work with a )indows 4Fure cloud

service8 http8JJwww.1ayway.comJ0+5J0AJ+Jcongure9a9windows9aFure9cloud9service9to9use9your9self9

signed9certicates9for9iis9client9certicate9mapping9authenticationJ

6ake careC @$
http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/

creating self-signed certificates with makecert.exe for development

Documents