# IT:AD:MakeCert #
* [[../|(UP)]]
{{indexmenu>.#2|nsort tsort}}
* See also:
* [[IT/AD/PowerShell/HowTo/Create A Self-Signed Certificate/]]
* [[IT/AD/IIS Express/HowTo/Configure/SSL/]]
* [[IT/AD/Certificates/]]
* [[IT/AD/pvk2pfx/]]
* [[IT/AD/certutil/]]
This approach is fine -- but in the era of [[IT/AD/Powershell/]], surplanted by the following approach:
* [[IT/AD/PowerShell/HowTo/Create A Self-Signed Certificate/]]
## Process ##
### Prerequisites
The MakeCert utility can be accessed via one of the following wiays:
* Install the *Windows SDK*, and you'll find it in the `Bin` directory.
* ownload fiddler, and find it here: `C:\Program Files (x86)\Fiddler2\makecert.exe`
Open a Cmd prompt with *Elevated Priveleges*.
### Documentation ###
MakeCert's switches can be determined by using `makecert -!` (or `makecert -?` for a shorter list).
### Create a Self Signed Server Cert ###
# -n [..] Canonical Name (eg: 'localhost')
# -r self-signed
# -pe make private key exportable
# -sv [..] Create Subject's Private Key (PVK) file (not sure why one would *not* create this)
# -sr [..] Subject's Cert Store (eg: LocalMachine)
# -ss [..] Subject's Cert Store (eg: ROOT|MY)
# -m [..] The number of Months the cert is valid for (eg: 84) (or use -b and -e as follows: -b 01/01/2007 -e 01/01/2010)
# -sky [..] Purpose (eg: 'signature' or 'exchange')
# -a [..] The algorithm to use sha256|sha384|sha512
# And if making a child cert, you'll need
# -ic [...] the issuer's certificate file (eg: parent.cer)
# -iv [...] the issuer's key file (eg: parent.pvk)
# -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients, 1.3.6.1.5.5.7.3.2 for servers, for 1.3.6.1.5.5.7.3.3 signing)
# make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk localhost.cer
# Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
# Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
# certutil.exe -f -addstore MY localhost.cer
# or
# makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -r -pe -sv localhost.pvk -sr LocalMachine -ss ROOT localhost.cer
### Create a Self Signed CA + Server Cert ###
Making a Self-Signed CA and using it create an SSL cert is identical to the above -- bar the name itself, and the subsequent generation of a cert off of it:
# Use the same switches as before, but when you do the child cert, you'll also need:
# -ic [...] the issuer's certificate file (eg: parent.cer)
# -iv [...] the issuer's key file (eg: parent.pvk)
# -eku [...] CSV of Enhanced Key Usage OIDs (eg: 1.3.6.1.5.5.7.3.1 for clients and 1.3.6.1.5.5.7.3.2 for servers)
# make the self-signed cert (you'll be prompted for a pwd to secure the *.pvk)
makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk demoCA.cer
# Opotionally, use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
pvk2pfx.exe -pvk demoCA.pvk -spc demoCA.cer -pfx demoCA.pfx
# Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
# certutil.exe -f -addstore MY localhost.cer
# or
# makecert -n "CN=demoCA" -a sha512 -sky exchange -m 84 -r -pe -sv demoCA.pvk -sr LocalMachine -ss ROOT demoCA.cer
# -----------------------------------
# Make a child cert, based on the above 'CA' (notice missing -r):
makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 localhost.cer
# Use pvk2pfx.exe to combine both files into one *.pfx for easier distribution.
pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx
# Certs can be installed in a cert store, manually using mmc.exe, or using certutil, or when created the cert:
# certutil.exe -f -addstore MY localhost.cer
# or
# makecert -n "CN=localhost" -a sha512 -sky exchange -m 84 -pe -sv localhost.pvk -ic demoCA.cer -iv demoCA.pvk -eku 1.3.6.1.5.5.7.3.2 -sr LocalMachine -ss MY localhost.cer
### FAQs:
* Why prompted twice?
* You'll be prompted to create the password to the private key (*.pvk) -- and then prompted again, in order to use the private key in order to make the cert.
* Where do I put the certs?
* self-signed CA Certs are installed in the *Trusted Root* (key word is 'ROOT').
* your certs are saved in `MY`
* Where the heck does MakeCert put em, eh?
* See: c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
* Using this tool you can find the created keys: http://msdn.microsoft.com/en-us/library/aa717039.aspx
* What EKU Options are there?
* 1.3.6.1.5.5.7.3.1 - idkpserverAuth
* 1.3.6.1.5.5.7.3.2 - idkpclientAuth
* 1.3.6.1.5.5.7.3.3 - idkpcodeSigning
* 1.3.6.1.5.5.7.3.4 - idkpemailProtection
* 1.3.6.1.5.5.7.3.5 - id-kp-ipsecEndSystem
* 1.3.6.1.5.5.7.3.6 - id-kp-ipsecTunnel
* 1.3.6.1.5.5.7.3.7 - id-kp-ipsecUser
* 1.3.6.1.5.5.7.3.8 - idkptimeStamping
* 1.3.6.1.5.5.7.3.9 – OCSPSigning
* 1.3.6.1.4.1.311.10.3.4 - Encrypting File System
* 1.3.6.1.4.1.311.20.2.2 - Smart Card Logon
* 1.3.6.1.5.5.7.3.2- Client Authentication
* 1.3.6.1.5.5.8.2.2 - IP security IKE intermediate
## Installing Certs
For the local station's Identities to have rights to the private key in MY, the imported cert has to be right clicked then given rights to a specific account (eg: in IIS, the AppPool account: eg:`IIS Svc.AP`).
## Resources ##
* [http://skysigal.xact-solutions.com/Blog/tabid/427/entryid/1199/Private-Keys-Where-the-heck-does-MakeCert-put-em-eh.aspx](http://skysigal.xact-solutions.com/Blog/tabid/427/entryid/1199/Private-Keys-Where-the-heck-does-MakeCert-put-em-eh.aspx)
* https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/makecert
* https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/makecert