Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / certificate

Creating Self-signed Certificates

4.95/5 (4 votes)
3 Jan 2017CPOL3 min read 26.9K  
How to create self-signed certificates using makecert.exe

I’ve had to create self-signed certificates on quite a few occasions over the years. There are multiple scenarios when one might want to create these self-signed certificates.
Two of the most popular tools used for certificate generation are:

  1. openssl (on Windows and Linux)
  2. makecert (on Windows)

I’ll cover the usage of makecert.exe in this post.

Where To Get makecert.exe

  • Windows SDK
    IF you have Windows SDK installed, based on the version that you have installed, you can find makecert.exe at one of the following locations…

    VersionLocation
    7C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\bin
    8C:\Program Files (x86)\Windows Kits\8.0\bin
    8.1C:\Program Files (x86)\Windows Kits\8.1\bin
    10C:\Program Files (x86)\Windows Kits\10.0\bin
  • Visual Studio (if Visual Studio IDE is installed)
    In case you are already using Visual Studio, you will find makecert.exe at one of the following locations…

    VersionLocation
    2015C:\Program Files (x86)\Windows Kits\10.0\bin
    2013C:\Program Files (x86)\Windows Kits\8.1\bin
    2010C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\
    2008C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\

Usually, certificates are generated for enabling HTTPS on the web server. The other reason is for client authentication.
I’ll cover both these cases:

  1. Server certificates
  2. Client certificates

We’ll also create Root CA certificates for signing both these certificates.

Say, suppose I have a company named FunSoft which is working on a new cloud service offering called FunSoft Cloud Service.

Root CA Certificate

makecert.exe -r 
             -n "CN=FunSoft Root Authority,O=FunSoft,OU=Development,L=Pune,S=MH,C=IN" 
             -pe 
             -ss Root 
             -sr LocalMachine 
             -sky signature 
             -m 120 
             -a sha256 
             -len 2048 
SwitchUse
rMark the certificate as self-signed.
nCertificate subject name; starts with “CN=”. An example value is “CN=Test Certificate”.
peSwitch to mark the generated private key as exportable.
ssCertificate store name. Most common options are [AuthRoot/CA/My/Root]
srCertificate store location. Valid options are [CurrentUser/LocalMachine]. Default to ‘CurrentUser
skySubject key type. Valid options are [signature/exchange/[integer]].
mNumber of months for the certificate validity period.
aSignature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to ‘sha1’.
lenGenerated Key Length (Bits). An example value is 2048.
Note
AbbreviationFull formExample
CCountryIN -> India
SStateMH-> Maharashtra
LLocalityPune
OOrganizationFunSoft
OUOrganizationalUnitDevelopment
CNCommon NameFunSoft Root Authority

You will also find this in the certificates snap-in at
Certificates(Local Computer) => Trusted Root Certification Authorities => Certificates

Server Certificate Signed with Root CA

We will now create a server certificate signed with the Root CA certificate created above…

makecert -pe 
         -n "CN=*.funsoft.com" 
         -a sha256 
         -len 2048 
         -sky exchange 
         -eku 1.3.6.1.5.5.7.3.1 
         -sp "Microsoft RSA SChannel Cryptographic Provider" 
         -sy 12 
         -in "FunSoft Root Authority" 
         -is Root 
         -ir LocalMachine 
         -ss My 
         -sr LocalMachine 
         -m 13
         funSoftServerCert.cer 
SwitchUse
peSwitch to mark the generated private key as exportable.
nCertificate subject name; starts with “CN=”. An example value is “CN=Test Certificate”.
aSignature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to ‘sha1’.
lenGenerated Key Length (Bits). An example value is 2048.
skySubject key type. Valid options are [signature/exchange/[integer]].
ekuComma separated Enhanced Key Usage based on Microsoft’s Object IDs (OIDs)
spSubject’s CryptoAPI provider’s name
sySubject’s CryptoAPI provider’s type
inIssuers certificate common name
isIssuers certificate store name
irIssuers certificate store location
ssCertificate store name. Most common options are [AuthRoot/CA/My/Root]
srCertificate store location. Valid options are [CurrentUser/LocalMachine]. Default to ‘CurrentUser
mNumber of months for the certificate validity period.
Note:
EKUOIDUse
serverAuth1.3.6.1.5.5.7.3.1SSL/TLS Web Server Authentication
clientAuth1.3.6.1.5.5.7.3.2SSL/TLS Web Client Authentication
codeSigning1.3.6.1.5.5.7.3.3Code signing
emailProtection1.3.6.1.5.5.7.3.4E-mail Protection (S/MIME)

Client Certificate Signed with Root CA

We can also create a client certificate for client authentication as follows…

makecert -pe 
         -n "CN=SUN" 
         -a sha256 
         -len 2048 
         -sky exchange 
         -eku 1.3.6.1.5.5.7.3.2 
         -sp "Microsoft RSA SChannel Cryptographic Provider" 
         -sy 12 
         -in "FunSoft Root Authority" 
         -is Root 
         -ir LocalMachine 
         -ss My 
         -sr LocalMachine 
         -m 13
         funSoftClientCert.cer 

Observe that the only value we have changed here is eku and CN.

Now, one thing to note here is that you could issue client certificates with CN value scoped at:

  • per machine or
    The CN value can be the machine name (you could also have the machine FQDN if your machine is part of a domain).
  • per user
    In this case, you could have the user name in CN and set the -sr switch to CurrentUser.

References

The post Creating self-signed certificates appeared first on Sundeep Kamath's blog.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)