Makecert Tool
Introduction
The makecert.exe tool is a command-line utility that generates self-signed X.509 certificates. This tool is part of the Windows Software Development Kit (SDK) and is useful for development and testing purposes, such as creating certificates for code signing, SSL/TLS testing, or certificate store manipulation.
It is important to note that certificates generated by makecert.exe are typically not trusted by default by other systems or browsers because they are self-signed and not issued by a trusted Certificate Authority (CA). For production environments, you should obtain certificates from a recognized CA.
Syntax
makecert [options] certificate.cerCommon Options
| Option | Description |
|---|---|
-r |
Creates a self-signed certificate. This is typically used when creating root certificates or certificates for testing. |
-pe |
Makes the private key exportable. This allows you to extract the private key associated with the certificate, which is often necessary for code signing. |
-ss <store_name> |
Specifies the certificate store where the certificate should be installed. Common store names include My (Personal), Root (Trusted Root Certification Authorities), and CA (Intermediate Certification Authorities). |
-sr <store_location> |
Specifies the location of the certificate store. Common locations include CurrentUser and LocalMachine. |
-n <subject_name> |
Specifies the subject name of the certificate. This is usually in the format "CN=Your Name, OU=Your Organization Unit, O=Your Organization, L=Your City, ST=Your State, C=US". |
-eku <oid1[,oid2,...]> |
Specifies enhanced key usage (EKU) object identifiers (OIDs). For example, for code signing, you might use "1.3.6.1.5.5.7.3.3". |
-iv <issuer_cert.cer> |
Specifies the issuer certificate for a non-self-signed certificate. |
-ik <issuer_private_key.pvk> |
Specifies the private key for the issuer certificate. |
-a |
Uses SHA-1 as the hashing algorithm. (Note: SHA-256 or higher is recommended for security). |
-b <valid_from> |
Specifies the start date for the certificate's validity in the format mm/dd/yyyy. |
-e <valid_to> |
Specifies the end date for the certificate's validity in the format mm/dd/yyyy. |
-l <friendly_name> |
Assigns a friendly name to the certificate. |
Examples
1. Create a Self-Signed Root Certificate
This command creates a self-signed root certificate named RootCA.cer, makes its private key exportable, and installs it in the user's Trusted Root Certification Authorities store.
makecert -r -pe -n "CN=My Root CA" -eku 1.3.6.1.5.5.7.10.1 -ss Root -sr CurrentUser RootCA.cer2. Create a Code Signing Certificate
This command generates a self-signed certificate for code signing. The private key is exportable, and it's installed in the user's Personal store. It includes the code signing EKU.
makecert -r -pe -n "CN=My Developer Certificate" -eku 1.3.6.1.5.5.7.3.3 -ss My -sr CurrentUser MyDevCert.cer3. Create a Certificate Valid for a Specific Period
This example creates a certificate valid from January 1, 2023, to December 31, 2024.
makecert -r -pe -n "CN=Test Cert" -b 01/01/2023 -e 12/31/2024 -ss My -sr CurrentUser TestCert.cer4. Create a Certificate Signed by an Existing CA
This command creates a new certificate signed by an existing root CA (assuming RootCA.cer and its private key are available).
makecert -n "CN=My Server Certificate" -eku 1.3.6.1.5.5.7.10.1 -iv RootCA.cer -ik RootCA.pvk -ss My -sr CurrentUser ServerCert.cerImportant Considerations
- Security: Always use strong hashing algorithms like SHA-256 or higher. Avoid using SHA-1 for new certificates.
- Trust: Self-signed certificates are not trusted by default. For public-facing applications, use certificates issued by a trusted Certificate Authority.
- Private Keys: If you mark a private key as exportable (
-pe), ensure it is protected by a strong password or stored securely. - SDK Version: The availability and specific options of
makecert.exemight vary slightly between different versions of the Windows SDK.