-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
1/28
Creating Self-Signed Certicates With MakeCert.Exe forDevelopment
If youve ever had the need of creating self signed certicates you may start out feeling like its not a
straightforward stroll in the park, so here is a blog post that might help you to get started. I will be going
through the basics of creating self signed X.50 certicates !"oot, server # client$ using makecert.e%e.
&or the complete makecert.e%e parameter referenceclick here.
Im using a '( with )indows *.+ 'ro and isual -tudio 'remium 0+/.
Certicate Authorit !CA"
ormally most companies would 1ust buy their certicates from a trusted third party certicate authority
such as 2o3addy or erisign, but for development and testing, this might not be the rst thing one wants
to do. Instead you can create your own self signed certicates, starting with a root (4 that can be used to
sign other certicates.(For example ssl certifcates or servers and clients). )hen you do this, the
certicates are not trusted by default. ou must therefore add the root (4 to your machines 6rusted "oot(ertication 4uthorities -tore through the 7icrosoft 7anagement (onsole.
#$%E&ou can add these two parameters8 9sr :ocal7achine ;and 9ss "oot ;to the upcoming command
batch le, if you want to install the certicate directly into the :ocal7achines 6rusted "oot (ertication
4uthorities. 'E S()Eto run the 3eveloper (ommand 'rompt as administrator or it will fail. )e will
however go through how to do this manually so you get a more basic understanding.
6he ;symbol I add to the following cmd batch les means pen an empty notepad document and copy and paste the following into notepad8
makecert.e%e ;
9n ?(@(4"oot? ;
9r ;
9pe ;
9a sha5+ ;
9len A0B ;
9cy authority ;
9sv (4"oot.pvk ;
(4"oot.cer
pvkpf%.e%e ;
http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspxhttp://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspxhttp://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspxhttp://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/ -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
2/28
9pvk (4"oot.pvk ;
9spc (4"oot.cer ;
9pf% (4"oot.pf% ;
9po 6est+/
6his may or may not look a bit frightening or incomprehensive at rst, but let me walk you through what
is going on here8 &irst we create a certicate with makecert.e%e, then we use pvkpf%.e%e to copy the
public key and private key information from the .pvk and .cer into a .pf% !personal information e%change$
le.
#$%E&ever share your root .pvk or .pf% les if you want to stay secureC
6he .pvk le contains your private key for your .cer certicate and the .pf% le contains both the
certicate .cer and the private key .pvk, which means that others can sign new certicates with your
certicate without your consent. 6he only le you can share is the .cer le, which only contains the public
key.
6he makecert.e%e parameters8
9n @7y>rganiFation,>G@3ev,(@3enmark= and so on. "eference8
( @ commoname !for e%ample,
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
3/28
#$%E&ever share your root .pvk or .pf% les if you want to stay secureC
6he .pvk le contains your private key for your .cer certicate and the .pf% le contains both the
certicate .cer and the private key .pvk, which means that others can sign new certicates with your
certicate without your consent. 6he only le you can share is the .cer le, which only contains the public
key.
6he makecert.e%e parameters8
9n @7y>rganiFation,>G@3ev,(@3enmark= and so on. "eference8
( @ commoname !for e%ample,
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
4/28
>pen a isual -tudio 3eveloper (ommand 'rompt this is where makecert.e%e lives, and navigate to the
folder that contains the batch le and run the cmd le.
It should now prompt you to enter some passwords. ("his is where we create and use the .pvk privatekey# so these need to match or success).
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
5/28
ou should now have / new les8 (4"oot.cer, (4"oot.pf% and (4"oot.pvk in the folder where your batch
les are.
Making *t %rusted
("his is a manual walk through i you didn$t include the %sr and %ss parameters)>pen your new (4"oot.cer
le by double clicking it and see that it is not trusted.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
6/28
6o make it trusted on your machine open up the 7icrosoft 7anagement (onsole.(Find it by searching or
mmc in start)
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
7/28
2o to &ile D4ddJ"emove -nap9in. 3ouble9click (erticates in the list to the left.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
8/28
(hoose (omputer account and 1ust go ne%t, nish and >K.
>pen the 6rusted "oot (ertication 4uthorities D(erticates
Eere you can see all of the currently trusted certicates that )indows trusts. (&lot o them ship with
Windows out o the box).
ow right9click the (erticates folder D4ll tasks DImportL
6he certicate Import )iFard will pop up.
2o ne%t DMrowse to nd the (4"oot.cer le we created earlier.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
9/28
Keep going ne%t until nish where a message bo% should appear saying pen the (4"oot !double9click$ and see that it is now trusted by your computer.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
10/28
Server Certicates
e%t up we need a certicate to handle --: on the server. )e will create this with a new command batch
le in notepad 1ust like before, this time with these parameters8
makecert.e%e ;
9n ?(@yourdomain.com? ;
9iv (4"oot.pvk ;
9ic (4"oot.cer ;
9pe ;
9a sha5+ ;
9len A0B ;
9b 0+J0+J0+A ;
9e 0+J0+J0+B ;
9sky e%change ;
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
11/28
9eku +./.B.+.5.5.N./.+ ;
9sv O+.pvk ;
O+.cer
pvkpf%.e%e ;
9pvk O+.pvk ;
9spc O+.cer ;
9pf% O+.pf% ;
9po 6est+/
#$%E&6he ( must match your domain otherwise the browsers wont trust your --: certicate and warn
the end user not to proceed to your website. ou will recogniFe most of the parameters, but let me e%plainthe new ones8
9n
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
12/28
"un it in your 3eveloper (ommand 'rompt the same way as before, only this time type in a name for your
certicate after the command. 7ine will be8 (reate-sl-erver(ert.cmd -erver--:.
4gain it will ask you to create your private key password, use it to verify, also give the issuers
password (which is the one you chose when creating your root &) and lastly the private key passwordyou choose in the rst window.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
13/28
http://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpghttp://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpghttp://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpg -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
14/28
Laaand voila you now have the -erver--: certicate les.
If you didnt include the 9sr and 9ss parameters, import the 'ersonal Information P%change !pf%$ certicate
into your 'ersonal (erticates in the 7icrosoft 7anagement (onsole8
>pen the 'ersonal folder Dright9click (erticates DImportL
4gain the (erticate Import )iFard pops up D2o e%t
http://www.jayway.com/wp-content/uploads/2014/09/servercert-password4.jpg -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
15/28
6his time you will Mrowse for the -erver--:.pf% le
2o ne%t D6ype in the password for your pf% le("he %po parameter rom the batch fle)D(ontinue going
ne%t until nish and the message bo% with =6he import was successful= appears.
ou should now see you newly imported certicate in your D'ersonal (erticates folder.
It is trusted automatically because your (4"oot that signed it is trusted and has a private key
corresponding to this certicate.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
16/28
http://www.jayway.com/wp-content/uploads/2014/09/20-TrustedServerCertPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/20-TrustedServerCertPath.jpg -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
17/28
ou can now congure your server to use this certicate.
Client Certicates
:ast but not least we will create the client certicate which can be used for client certicate
authentication. )e will again create a command batch le, now with the following parameters8
makecert.e%e ;
9n ?(@O+? ;
9iv (4"oot.pvk ;
9ic (4"oot.cer ;
9pe ;
9a sha5+ ;
9len A0B ;
9b 0+J0+J0+A ;
9e 0+J0+J0+B ;
9sky e%change ;
9eku +./.B.+.5.5.N./. ;
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
18/28
9sv O+.pvk ;
O+.cer
pvkpf%.e%e ;
9pvk O+.pvk ;
9spc O+.cer ;
9pf% O+.pf% ;
9po 6est+/
ou may notice that this is almost identical to the server certicate parameters, all e%cept8
G@3ev,(@3enmark= and so on. "eference8
( @ commoname !for e%ample,
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
19/28
P%ecute the command batch le in the 3eveloper (ommand 'rompt, again with a name after the cmd.
!7ine will be8 (reate-sl(lient(ert.cmd (lient(ert$.
Pnter the passwords in the same pattern as the server certicate and you now have your client certicate.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
20/28
ou can now add it to your (urrent Gser 'ersonal (erticate store8
In the 7icrosoft 7anagement (onsole, click &ile D4ddJ"emove -nap9in.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
21/28
3ouble9click (erticates again, but this time choose 7y user account
>pen the 'ersonal folder D"ight9click (erticates DImportL
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
22/28
Mrowse for your (lient(ert.pf% le
2o ne%t D6ype in the password to your pf% le !9po parameter from the batch le$ D(ontinue going ne%t
until nish and =6he import was successful= message bo% appears.
ou should now see you newly imported certicate in your 'ersonal D(erticates folder
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
23/28
4gain the certicate is trusted because the (4"oot is trusted by )indows.
http://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpg -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
24/28
ou can now congure your client to use this certicate.
I hope the whole self signed certicate creation together with the makecert.e%e generation tool feels more
understandable and that you can use this knowledge for your development process. &or a walk9through
on setting up II- to use your self9signed certicates check out my ne%t blog
post8 http8JJwww.1ayway.comJ0+AJ+0JNJcongure9iis9to9use9your9self9signed9certicates9with9your9
applicationJ
(heck out my blog post for getting self signed certicates to work with a )indows 4Fure cloud
service8 http8JJwww.1ayway.comJ0+5J0AJ+Jcongure9a9windows9aFure9cloud9service9to9use9your9self9
signed9certicates9for9iis9client9certicate9mapping9authenticationJ
Pnter the passwords in the same pattern as the server certicate and you now have your client certicate.
ou can now add it to your (urrent Gser 'ersonal (erticate store8
In the 7icrosoft 7anagement (onsole, click &ile D4ddJ"emove -nap9in
http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/ -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
25/28
3ouble9click (erticates again, but this time choose 7y user account.
>pen the 'ersonal folder D"ight9click (erticates DImportL
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
26/28
Mrowse for your (lient(ert.pf% le.
2o ne%t D6ype in the password to your pf% le !9po parameter from the batch le$ D(ontinue going ne%t
until nish and =6he import was successful= message bo% appears.
ou should now see you newly imported certicate in your 'ersonal D(erticates folder.
4gain the certicate is trusted because the (4"oot is trusted by )indows.
-
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
27/28
http://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpghttp://www.jayway.com/wp-content/uploads/2014/09/28.-TrustedClientPath.jpg -
7/24/2019 Creating Self-Signed Certificates With MakeCert.exe for Development
28/28
ou can now congure your client to use this certicate.
I hope the whole self signed certicate creation together with the makecert.e%e generation tool feels more
understandable and that you can use this knowledge for your development process. &or a walk9through
on setting up II- to use your self9signed certicates check out my ne%t blog
post8 http8JJwww.1ayway.comJ0+AJ+0JNJcongure9iis9to9use9your9self9signed9certicates9with9your9
applicationJ
(heck out my blog post for getting self signed certicates to work with a )indows 4Fure cloud
service8 http8JJwww.1ayway.comJ0+5J0AJ+Jcongure9a9windows9aFure9cloud9service9to9use9your9self9
signed9certicates9for9iis9client9certicate9mapping9authenticationJ
6ake careC @$
http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/http://www.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/