Creating self-signed certificate using makecert.exe

Creating self-signed certificate using makecert.exe

I've had to create self-signed certificates on quite a few occasions over the years.
There are multiple scenarios when one might want to create these self-signed certificates. Two of the most popular tools used for certificate generation are...

  1. OpenSSL (on windows and Linux)

  2. makecert (on windows)

I'll cover the usage of makecert.exe in this post.

Where to get makecert.exe

  • Windows SDK
    If you have Windows SDK installed, based on the version that you have installed you can find makecert.exe at one of the following locations...
VersionLocation
7C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\bin
8C:\Program Files (x86)\Windows Kits\8.0\bin
8.1C:\Program Files (x86)\Windows Kits\8.1\bin
10C:\Program Files (x86)\Windows Kits\10.0\bin
  • Visual Studio (if Visual Studio IDE is installed)
    In case you are already using Visual studio you will find makecert.exe at one of the following locations...
VersionLocation
2015C:\Program Files (x86)\Windows Kits\10.0\bin
2013C:\Program Files (x86)\Windows Kits\8.1\bin
2010C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin
2008C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin

Usually, certificates are generated for enabling HTTPS on the web server. The other reason is client authentication.
I'll cover both of these cases
1. server certificates
2. client certificates

We'll also create Root CA certificates for signing both of these certificates.

Say, suppose I have a company named FunSoft that is working on a new cloud service offering called FunSoft Cloud Service.

Root CA certificate:

makecert.exe -r 
             -n "CN=FunSoft Root Authority,O=FunSoft,OU=Development,L=Pune,S=MH,C=IN" 
             -pe 
             -ss Root 
             -sr LocalMachine 
             -sky signature 
             -m 120 
             -a sha256 
             -len 2048
SwitchUsage
rMark the certificate as self-signed.
nCertificate subject name; starts with “CN=”. An example value is “CN=Test Certificate”.
peSwitch to mark the generated private key as exportable.
ssCertificate store name. Most common options are [AuthRoot/CA/My/Root]
srCertificate store location. Valid options are [CurrentUser/LocalMachine]. Default to ‘CurrentUser’
skySubject key type. Valid options are [signature/exchange/[integer]].
mNumber of months for the certificate validity period.
aSignature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to ‘sha1’.
lenGenerated Key Length (Bits). An example value is 2048.

Note:

AbbreviationFull formExample
CCountryIN -> India
SStateMH-> Maharashtra
LLocalityPune
OOrganizationFunSoft
OUOrganizationalUnitDevelopment
CNCommon NameFunSoft Root Authority

You will also find this in the certificates snap-in at
Certificates(Local Computer) \=> Trusted Root Certification Authorities \=> Certificates

Server certificate signed with Root CA

We will now create a server certificate signed with the Root CA certificate created above...

makecert -pe 
         -n "CN=*.funsoft.com" 
         -a sha256 
         -len 2048 
         -sky exchange 
         -eku 1.3.6.1.5.5.7.3.1 
         -sp "Microsoft RSA SChannel Cryptographic Provider" 
         -sy 12 
         -in "FunSoft Root Authority" 
         -is Root 
         -ir LocalMachine 
         -ss My 
         -sr LocalMachine 
         -m 13
         funSoftServerCert.cer
SwitchUsage
peSwitch to mark the generated private key as exportable.
nCertificate subject name; starts with “CN=”. An example value is “CN=Test Certificate”.
aSignature algorithm. Valid options are [md5/sha1/sha256/sha384/sha512]. Default to ‘sha1’.
lenGenerated Key Length (Bits). An example value is 2048.
skySubject key type. Valid options are [signature/exchange/[integer]].
ekuComma-separated Enhanced Key Usage based on Microsoft’s Object IDs (OIDs)
spSubject’s CryptoAPI provider’s name
sySubject’s CryptoAPI provider’s type
inIssuers certificate common name
isIssuers certificate store name
irIssuers certificate store location
ssCertificate store name. Most common options are [AuthRoot/CA/My/Root]
srCertificate store location. Valid options are [CurrentUser/LocalMachine]. Default to ‘CurrentUser’
mNumber of months for the certificate validity period.

Note:

EKUOIDUse
serverAuth1.3.6.1.5.5.7.3.1SSL/TLS Web Server Authentication
clientAuth1.3.6.1.5.5.7.3.2SSL/TLS Web Client Authentication
codeSigning1.3.6.1.5.5.7.3.3Code signing
emailProtection1.3.6.1.5.5.7.3.4E-mail Protection (S/MIME)

Client certificate signed with Root CA

We can also create a client certificate for client authentication as follows...

makecert -pe 
         -n "CN=SUN" 
         -a sha256 
         -len 2048 
         -sky exchange 
         -eku 1.3.6.1.5.5.7.3.2 
         -sp "Microsoft RSA SChannel Cryptographic Provider" 
         -sy 12 
         -in "FunSoft Root Authority" 
         -is Root 
         -ir LocalMachine 
         -ss My 
         -sr LocalMachine 
         -m 13
         funSoftClientCert.cer

Observe that the only value we have changed here is eku and CN.

Now, one thing to note here is that you could issue client certificates with CN value scoped at

  • per machine or
    The CN value can be the machine name (you could also have the machine FQDN if your machine is part of a domain).

  • per user
    In this case, you could have the user name in CN and set the -sr switch to CurrentUser.