Creating Self-signed Certificates

Sundeep Kamath

4.95/5 (4 votes)

3 Jan 2017CPOL3 min read

26.9K

How to create self-signed certificates using makecert.exe

I’ve had to create self-signed certificates on quite a few occasions over the years. There are multiple scenarios when one might want to create these self-signed certificates.
Two of the most popular tools used for certificate generation are:

openssl (on Windows and Linux)
makecert (on Windows)

I’ll cover the usage of makecert.exe in this post.

Where To Get makecert.exe

Windows SDK
IF you have Windows SDK installed, based on the version that you have installed, you can find makecert.exe at one of the following locations…

Version	Location
7	C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\bin
8	C:\Program Files (x86)\Windows Kits\8.0\bin
8.1	C:\Program Files (x86)\Windows Kits\8.1\bin
10	C:\Program Files (x86)\Windows Kits\10.0\bin

Visual Studio (if Visual Studio IDE is installed)
In case you are already using Visual Studio, you will find makecert.exe at one of the following locations…

Version	Location
2015	C:\Program Files (x86)\Windows Kits\10.0\bin
2013	C:\Program Files (x86)\Windows Kits\8.1\bin
2010	C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\
2008	C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\

Usually, certificates are generated for enabling HTTPS on the web server. The other reason is for client authentication.
I’ll cover both these cases:

Server certificates
Client certificates

We’ll also create Root CA certificates for signing both these certificates.

Say, suppose I have a company named FunSoft which is working on a new cloud service offering called FunSoft Cloud Service.

Root CA Certificate

makecert.exe -r 
             -n "CN=FunSoft Root Authority,O=FunSoft,OU=Development,L=Pune,S=MH,C=IN" 
             -pe 
             -ss Root 
             -sr LocalMachine 
             -sky signature 
             -m 120 
             -a sha256 
             -len 2048

Switch	Use
r	Mark the certificate as self-signed.
n	Certificate subject name; starts with “`CN=`”. An example value is “`CN=Test Certificate`”.
pe	Switch to mark the generated private key as exportable.
ss	Certificate store name. Most common options are `[AuthRoot/CA/My/Root]`
sr	Certificate store location. Valid options are `[CurrentUser/LocalMachine]`. Default to ‘`CurrentUser`’
sky	Subject key type. Valid options are [signature/exchange/[integer]].
m	Number of months for the certificate validity period.
a	Signature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to ‘`sha1`’.
len	Generated Key Length (Bits). An example value is 2048.

Note

Abbreviation	Full form	Example
C	Country	IN -> India
S	State	MH-> Maharashtra
L	Locality	Pune
O	Organization	FunSoft
OU	OrganizationalUnit	Development
CN	Common Name	FunSoft Root Authority

You will also find this in the certificates snap-in at
Certificates(Local Computer) => Trusted Root Certification Authorities => Certificates

Server Certificate Signed with Root CA

We will now create a server certificate signed with the Root CA certificate created above…

makecert -pe 
         -n "CN=*.funsoft.com" 
         -a sha256 
         -len 2048 
         -sky exchange 
         -eku 1.3.6.1.5.5.7.3.1 
         -sp "Microsoft RSA SChannel Cryptographic Provider" 
         -sy 12 
         -in "FunSoft Root Authority" 
         -is Root 
         -ir LocalMachine 
         -ss My 
         -sr LocalMachine 
         -m 13
         funSoftServerCert.cer

Switch	Use
pe	Switch to mark the generated private key as exportable.
n	Certificate subject name; starts with “`CN=`”. An example value is “`CN=Test Certificate`”.
a	Signature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to ‘`sha1`’.
len	Generated Key Length (Bits). An example value is 2048.
sky	Subject key type. Valid options are [signature/exchange/[integer]].
eku	Comma separated Enhanced Key Usage based on Microsoft’s Object IDs (OIDs)
sp	Subject’s CryptoAPI provider’s name
sy	Subject’s CryptoAPI provider’s type
in	Issuers certificate common name
is	Issuers certificate store name
ir	Issuers certificate store location
ss	Certificate store name. Most common options are [AuthRoot/CA/My/Root]
sr	Certificate store location. Valid options are [CurrentUser/LocalMachine]. Default to ‘`CurrentUser`’
m	Number of months for the certificate validity period.

Note:

EKU	OID	Use
`serverAuth`	1.3.6.1.5.5.7.3.1	SSL/TLS Web Server Authentication
`clientAuth`	1.3.6.1.5.5.7.3.2	SSL/TLS Web Client Authentication
`codeSigning`	1.3.6.1.5.5.7.3.3	Code signing
`emailProtection`	1.3.6.1.5.5.7.3.4	E-mail Protection (S/MIME)

Client Certificate Signed with Root CA

We can also create a client certificate for client authentication as follows…

makecert -pe 
         -n "CN=SUN" 
         -a sha256 
         -len 2048 
         -sky exchange 
         -eku 1.3.6.1.5.5.7.3.2 
         -sp "Microsoft RSA SChannel Cryptographic Provider" 
         -sy 12 
         -in "FunSoft Root Authority" 
         -is Root 
         -ir LocalMachine 
         -ss My 
         -sr LocalMachine 
         -m 13
         funSoftClientCert.cer

Observe that the only value we have changed here is eku and CN.

Now, one thing to note here is that you could issue client certificates with CN value scoped at:

per machine or
The CN value can be the machine name (you could also have the machine FQDN if your machine is part of a domain).
per user
In this case, you could have the user name in CN and set the -sr switch to CurrentUser.

References

The post Creating self-signed certificates appeared first on Sundeep Kamath's blog.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)