Thursday, September 4, 2008

using makecert

Certificate Creation Tool (Makecert.exe)
The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

Makecert.exe includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.

The correct syntax:
makecert -r -pe -n "CN=www.yourserver.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

C:\WINDOWS\system32>makecert -i

Usage: MakeCert [ basicextended options] [outputCertificateFile]
Basic Options
-sk Subject's key container name; To be created if not present
-pe Mark generated private key as exportable
-ss Subject's certificate store name that stores the output
certificate
-sr Subject's certificate store location.
. Default to 'CurrentUser'
-# Serial Number from 1 to 2^31-1. Default to be unique
-$ The signing authority of the certificate

-n Certificate subject X500 name (eg: CN=Fred Dews)
-? Return a list of basic options
-! Return a list of extended options


C:\WINDOWS\system32>makecert -!
Usage: MakeCert [ basicextended options] [outputCertificateFile]
Extended Options
-sc Subject's certificate file
-sv Subject's PVK file; To be created if not present
-ic Issuer's certificate file
-ik Issuer's key container name
-iv Issuer's PVK file
-is Issuer's certificate store name.
-ir Issuer's certificate store location
. Default to 'CurrentUser'
-in Issuer's certificate common name.(eg: Fred Dews)
-a The signature algorithm
. Default to 'md5'
-ip Issuer's CryptoAPI provider's name
-iy Issuer's CryptoAPI provider's type
-sp Subject's CryptoAPI provider's name
-sy Subject's CryptoAPI provider's type
-iky Issuer key type
.
-sky Subject key type
>.
-l < link > Link to the policy information (such as a URL)
-cy Certificate types

-b Start of the validity period; default to now.
-m The number of months for the cert validity period
-e End of validity period; defaults to 2039
-h Max height of the tree below this cert
-r Create a self signed certificate
-nscp Include netscape client auth extension
-eku oid[<,oid>]> Comma separated enhanced key usage OIDs
-? Return a list of basic options
-! Return a list of extended options

No comments: