IT:AD:MakeCert

Prerequisites

The MakeCert utility can be accessed via one of the following wiays:

  • Install the Windows SDK, and you'll find it in the Bin directory.
  • ownload fiddler, and find it here: C:\Program Files (x86)\Fiddler2\makecert.exe

Open a Cmd prompt with Elevated Priveleges.

Documentation

MakeCert's switches can be determined by using makecert -! (or makecert -? for a shorter list).

Create a Self Signed Server Cert

    # -n [..]    Canonical Name (eg: 'localhost')
    # -r         self-signed
    # -pe        make private key exportable
    # -sv  [..]  Create Subject's Private Key (PVK) file (not sure why one would *not* create this)
    # -sr  [..]  Subject's Cert Store (eg: LocalMachine)
    # -ss  [..]  Subject's Cert Store  (eg: ROOT|MY) 
    # -m   [..]  The number of Months the cert is valid for (eg: 84) (or use -b and -e as follows: -b 01/01/2007 -e 01/01/2010)
    # -sky [..]  Purpose (eg: 'signature' or 'exchange')
    # -a   [..]  The algorithm to use sha256|sha384|sha512
    
    # And if making a child cert, you'll need 
    # -ic  [...] the issuer's certificate file (eg: parent.cer)
    # -iv  [...] the issuer's key file (eg: parent.pvk)
    # -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients, 1.3.6.1.5.5.7.3.2 for servers, for 1.3.6.1.5.5.7.3.3 signing)
    
    # make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
    makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk localhost.cer    
    
    # Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
    
    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk -sr LocalMachine -ss ROOT localhost.cer

Create a Self Signed CA + Server Cert

Making a Self-Signed CA and using it create an SSL cert is identical to the above – bar the name itself, and the subsequent generation of a cert off of it:

    # Use the same switches as before, but when you do the child cert, you'll also need: 
    # -ic  [...] the issuer's certificate file (eg: parent.cer)
    # -iv  [...] the issuer's key file (eg: parent.pvk)
    # -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients and 1.3.6.1.5.5.7.3.2 for servers)
    
    # make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
    makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk demoCA.cer
    
    # Opotionally, use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk demoCA.pvk -spc demoCA.cer -pfx demoCA.pfx

    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk -sr LocalMachine -ss ROOT demoCA.cer


    # -----------------------------------    

    # Make a child cert, based on the above 'CA' (notice missing -r):
    makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 localhost.cer 

    # Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
    pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
    

    # Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
    # certutil.exe -f -addstore MY localhost.cer
    # or 
    # makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 -sr LocalMachine -ss MY localhost.cer 

FAQs:

  • Why prompted twice?
    • You'll be prompted to create the password to the private key (*.pvk) – and then prompted again, in order to use the private key in order to make the cert.
  • Where do I put the certs?
    • self-signed CA Certs are installed in the Trusted Root (key word is 'ROOT').
    • your certs are saved in MY
  • Where the heck does MakeCert put em, eh?
  • What EKU Options are there?
    • 1.3.6.1.5.5.7.3.1 - idkpserverAuth
    • 1.3.6.1.5.5.7.3.2 - idkpclientAuth
    • 1.3.6.1.5.5.7.3.3 - idkpcodeSigning
    • 1.3.6.1.5.5.7.3.4 - idkpemailProtection
    • 1.3.6.1.5.5.7.3.5 - id-kp-ipsecEndSystem
    • 1.3.6.1.5.5.7.3.6 - id-kp-ipsecTunnel
    • 1.3.6.1.5.5.7.3.7 - id-kp-ipsecUser
    • 1.3.6.1.5.5.7.3.8 - idkptimeStamping
    • 1.3.6.1.5.5.7.3.9 – OCSPSigning
    • 1.3.6.1.4.1.311.10.3.4 - Encrypting File System
    • 1.3.6.1.4.1.311.20.2.2 - Smart Card Logon
    • 1.3.6.1.5.5.7.3.2- Client Authentication
    • 1.3.6.1.5.5.8.2.2 - IP security IKE intermediate
For the local station's Identities to have rights to the private key in MY, the imported cert has to be right clicked then given rights to a specific account (eg: in IIS, the AppPool account: eg:IIS Svc.AP).