it:ad:makecert:home

IT:AD:MakeCert

The MakeCert utility can be accessed via one of the following wiays:

  • Install the Windows SDK, and you'll find it in the Bin directory.
  • ownload fiddler, and find it here: C:\Program Files (x86)\Fiddler2\makecert.exe

Open a Cmd prompt with Elevated Priveleges.

MakeCert's switches can be determined by using makecert -! (or makecert -? for a shorter list).

    # -n [..]    Canonical Name (eg: 'localhost')
    # -r         self-signed
    # -pe        make private key exportable
    # -sv  [..]  Create Subject's Private Key (PVK) file (not sure why one would *not* create this)
    # -sr  [..]  Subject's Cert Store (eg: LocalMachine)
    # -ss  [..]  Subject's Cert Store  (eg: ROOT|MY) 
    # -m   [..]  The number of Months the cert is valid for (eg: 84) (or use -b and -e as follows: -b 01/01/2007 -e 01/01/2010)
    # -sky [..]  Purpose (eg: 'signature' or 'exchange')
    # -a   [..]  The algorithm to use sha256|sha384|sha512
    
    # And if making a child cert, you'll need 
    # -ic  [...] the issuer's certificate file (eg: parent.cer)
    # -iv  [...] the issuer's key file (eg: parent.pvk)
    # -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients, 1.3.6.1.5.5.7.3.2 for servers, for 1.3.6.1.5.5.7.3.3 signing)
    
    # make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
    makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk localhost.cer    
    
    # Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
    
    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk -sr LocalMachine -ss ROOT localhost.cer

Making a Self-Signed CA and using it create an SSL cert is identical to the above – bar the name itself, and the subsequent generation of a cert off of it:

    # Use the same switches as before, but when you do the child cert, you'll also need: 
    # -ic  [...] the issuer's certificate file (eg: parent.cer)
    # -iv  [...] the issuer's key file (eg: parent.pvk)
    # -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients and 1.3.6.1.5.5.7.3.2 for servers)
    
    # make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
    makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk demoCA.cer
    
    # Opotionally, use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk demoCA.pvk -spc demoCA.cer -pfx demoCA.pfx

    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk -sr LocalMachine -ss ROOT demoCA.cer


    # -----------------------------------    

    # Make a child cert, based on the above 'CA' (notice missing -r):
    makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 localhost.cer 

    # Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
    

    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 -sr LocalMachine -ss MY localhost.cer 

* Why prompted twice?

  • You'll be prompted to create the password to the private key (.pvk) – and then prompted again, in order to use the private key in order to make the cert. Where do I put the certs?
  • self-signed CA Certs are installed in the Trusted Root (key word is 'ROOT').
  • your certs are saved in MY

* Where the heck does MakeCert put em, eh?

* What EKU Options are there?

  • 1.3.6.1.5.5.7.3.1 - idkpserverAuth
  • 1.3.6.1.5.5.7.3.2 - idkpclientAuth
  • 1.3.6.1.5.5.7.3.3 - idkpcodeSigning
  • 1.3.6.1.5.5.7.3.4 - idkpemailProtection
  • 1.3.6.1.5.5.7.3.5 - id-kp-ipsecEndSystem
  • 1.3.6.1.5.5.7.3.6 - id-kp-ipsecTunnel
  • 1.3.6.1.5.5.7.3.7 - id-kp-ipsecUser
  • 1.3.6.1.5.5.7.3.8 - idkptimeStamping
  • 1.3.6.1.5.5.7.3.9 – OCSPSigning
  • 1.3.6.1.4.1.311.10.3.4 - Encrypting File System
  • 1.3.6.1.4.1.311.20.2.2 - Smart Card Logon
  • 1.3.6.1.5.5.7.3.2- Client Authentication
  • 1.3.6.1.5.5.8.2.2 - IP security IKE intermediate
For the local station's Identities to have rights to the private key in MY, the imported cert has to be right clicked then given rights to a specific account (eg: in IIS, the AppPool account: eg:IIS Svc.AP).