IT:AD:MakeCert

Summary

This approach is fine – but in the era of IT:AD:Powershell, surplanted by the following approach:

Process

Prerequisites

The MakeCert utility can be accessed via one of the following wiays:

  • Install the Windows SDK, and you'll find it in the Bin directory.
  • ownload fiddler, and find it here: C:\Program Files (x86)\Fiddler2\makecert.exe

Open a Cmd prompt with Elevated Priveleges.

Documentation

MakeCert's switches can be determined by using makecert -! (or makecert -? for a shorter list).

Create a Self Signed Server Cert

    # -n [..]    Canonical Name (eg: 'localhost')
    # -r         self-signed
    # -pe        make private key exportable
    # -sv  [..]  Create Subject's Private Key (PVK) file (not sure why one would *not* create this)
    # -sr  [..]  Subject's Cert Store (eg: LocalMachine)
    # -ss  [..]  Subject's Cert Store  (eg: ROOT|MY) 
    # -m   [..]  The number of Months the cert is valid for (eg: 84) (or use -b and -e as follows: -b 01/01/2007 -e 01/01/2010)
    # -sky [..]  Purpose (eg: 'signature' or 'exchange')
    # -a   [..]  The algorithm to use sha256|sha384|sha512
    
    # And if making a child cert, you'll need 
    # -ic  [...] the issuer's certificate file (eg: parent.cer)
    # -iv  [...] the issuer's key file (eg: parent.pvk)
    # -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients, 1.3.6.1.5.5.7.3.2 for servers, for 1.3.6.1.5.5.7.3.3 signing)
    
    # make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
    makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk localhost.cer    
    
    # Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
    
    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk -sr LocalMachine -ss ROOT localhost.cer

Create a Self Signed CA + Server Cert

Making a Self-Signed CA and using it create an SSL cert is identical to the above – bar the name itself, and the subsequent generation of a cert off of it:

    # Use the same switches as before, but when you do the child cert, you'll also need: 
    # -ic  [...] the issuer's certificate file (eg: parent.cer)
    # -iv  [...] the issuer's key file (eg: parent.pvk)
    # -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients and 1.3.6.1.5.5.7.3.2 for servers)
    
    # make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
    makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk demoCA.cer
    
    # Opotionally, use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk demoCA.pvk -spc demoCA.cer -pfx demoCA.pfx

    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk -sr LocalMachine -ss ROOT demoCA.cer


    # -----------------------------------    

    # Make a child cert, based on the above 'CA' (notice missing -r):
    makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 localhost.cer 

    # Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
    

    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 -sr LocalMachine -ss MY localhost.cer 

FAQs:

  • Why prompted twice?
    • You'll be prompted to create the password to the private key (*.pvk) – and then prompted again, in order to use the private key in order to make the cert.
  • Where do I put the certs?
    • self-signed CA Certs are installed in the Trusted Root (key word is 'ROOT').
    • your certs are saved in MY
  • Where the heck does MakeCert put em, eh?
  • What EKU Options are there?
    • 1.3.6.1.5.5.7.3.1 - idkpserverAuth
    • 1.3.6.1.5.5.7.3.2 - idkpclientAuth
    • 1.3.6.1.5.5.7.3.3 - idkpcodeSigning
    • 1.3.6.1.5.5.7.3.4 - idkpemailProtection
    • 1.3.6.1.5.5.7.3.5 - id-kp-ipsecEndSystem
    • 1.3.6.1.5.5.7.3.6 - id-kp-ipsecTunnel
    • 1.3.6.1.5.5.7.3.7 - id-kp-ipsecUser
    • 1.3.6.1.5.5.7.3.8 - idkptimeStamping
    • 1.3.6.1.5.5.7.3.9 – OCSPSigning
    • 1.3.6.1.4.1.311.10.3.4 - Encrypting File System
    • 1.3.6.1.4.1.311.20.2.2 - Smart Card Logon
    • 1.3.6.1.5.5.7.3.2- Client Authentication
    • 1.3.6.1.5.5.8.2.2 - IP security IKE intermediate

Installing Certs

For the local station's Identities to have rights to the private key in MY, the imported cert has to be right clicked then given rights to a specific account (eg: in IIS, the AppPool account: eg:IIS Svc.AP).

Resources