Creating self signed certificates with makecert.exe for development

If you’ve ever had the need of creating self signed certificates you may start out feeling like it’s not a straightforward stroll in the park, so here is a blog post that might help you to get started. I will be going through the basics of creating self signed X.509 certificates (Root, server & client) using makecert.exe.
For the complete makecert.exe parameter reference click here.

I’m using a PC with Windows 8.1 Pro and Visual Studio Premium 2013.

Certificate Authority (CA)
Normally most companies would just buy their certificates from a trusted third party certificate authority such as GoDaddy or Verisign, but for development and testing, this might not be the first thing one wants to do. Instead you can create your own self signed certificates, starting with a root CA that can be used to sign other certificates. (For example ssl certificates for servers and clients). When you do this, the certificates are not trusted by default. You must therefore add the root CA to your machine’s Trusted Root Certification Authorities Store through the Microsoft Management Console.

NOTE: You can add these two parameters: -sr LocalMachine ^ and -ss Root ^ to the upcoming command batch file, if you want to install the certificate directly into the LocalMachine’s Trusted Root Certification Authorities. BE SURE to run the Developer Command Prompt as administrator or it will fail. We will however go through how to do this manually so you get a more basic understanding.

The ^ symbol I add to the following cmd batch files means “escape the next line”, this makes it more readable instead of one long command string.

Let’s do all of this step by step:
Open an empty notepad document and copy and paste the following into notepad:

This may or may not look a bit frightening or incomprehensive at first, but let me
walk you through what is going on here: First we create a certificate with
makecert.exe, then we use pvk2pfx.exe to copy the public key and private key
information from the .pvk and .cer into a .pfx (personal information exchange) file.

NOTE: Never share your root .pvk or .pfx files if you want to stay secure!
The .pvk file contains your private key for your .cer certificate and the .pfx file contains both the certificate .cer and the private key .pvk, which means that others can sign new certificates with your certificate without your consent. The only file you can share is the .cer file, which only contains the public key.

The makecert.exe parameters:

  • -n “CN=CARoot” Subject’s certificate name and must be formatted as the standard: “CN=Your CA Name Here”
    You can also add more than one in the -n parameter for example: “-n “CA=CARoot,O=My Organization,OU=Dev,C=Denmark”  and so on. Reference:

    • CN = commonName (for example, “CN=My Root CA”)
    • OU = organizationalUnitName (for example, “OU=Dev”)
    • O = organizationName (for example, “O=Jayway”)
    • L = localityName (for example, “L=San Francisco”)
    • S = stateOrProvinceName (for example, “S=CA”)
    • C = countryName (for example, “C=US”)
  • -r Indicates that this certificate is self signed
  • -pe The generated private key is exportable and can be included in the certificate
  • -a sha512 We declare which signature algorithm we will be using
    (DO NOT use the sha1 algoritm, it is no longer secure)
  • -len 4096  The generated key length in bits
  • -cy authority Specifies that this is a certificate authority
  • -sv CARoot.pvk The subject’s .pvk private key file
  • CARoot.cer The certificate file

Optional: install certificate directly into the Trusted Root CA store

  • -sr LocalMachine The subject’s certificate store location
  • -ss Root The certificate store name

The pvk2pfx.exe parameters:

  • -pvk CARoot.pvk The name of the .pvk file
  • -spc CARoot.cer The name of the .cer file
  • -pfx CARoot.pfx The name of the -pfx file
  • -po Test123 The password for the .pfx file

Save the document as “CreateCARoot.cmd” which will create a command batch file. (You can call it what you want as long as you remember the .cmd ending which will make it a Windows Command Script)1. CreateCARoot batch file

Open a Visual Studio Developer Command Prompt – this is where makecert.exe lives, and navigate to the folder that contains the batch file and run the cmd file

2. DevPrompt1

It should now prompt you to enter some passwords. (This is where we create and use the .pvk private key, so these need to match for success)
3. DevPrompt24. DevPrompt35. DevPrompt4

6. DevPrompt5

You should now have 3 new files: CARoot.cer, CARoot.pfx and CARoot.pvk in the folder where your batch files are. 7. CARootCertfiles

Making It Trusted
(This is a manual walk through if you didn’t include the -sr and -ss parameters)
Open your new CARoot.cer file by double clicking it and see that it is not trusted.
8. UntrustedCert2

To make it trusted on your machine open up the Microsoft Management Console. (Find it by searching for mmc in start)
mmc console

Go to File Add/Remove Snap-in

Double-click Certificates in the list to the left
9. MMC1

Choose Computer account and just go next, finish and OK
10. MMC2

Open the Trusted Root Certification Authorities Certificates
Here you can see all of the currently trusted certificates that Windows trusts.
(Alot of them ship with Windows out of the box)

Now right-click the Certificates folder All tasks Import…

The certificate Import Wizard will pop up.
Go next Browse to find the CARoot.cer file we created earlier

MMC CARoot

Keep going next until finish where a message box should appear saying “The import was successful”.

Your CARoot certificate should now be in you Trusted Root Certification Authorities store.
11. MMC3

Open the CARoot (double-click) and see that it is now trusted by your computer.
13. TrustedCert2

Server Certificates
Next up we need a certificate to handle SSL on the server. We will create this with a new command batch file in notepad just like before, this time with these parameters:

NOTE: The CN must match your domain otherwise the browsers won’t trust your SSL certificate and warn the end user not to proceed to your website

You will recognize most of the parameters, but let me explain the new ones:

  • -n “CN=yourdomain.com” for example Change this to your domain name in order to connect the SSL server certificate to a specific web server domain. (Examples: “CN=www.yourdomain.com”, “CN=yourdomain.com” or the wildcard that will match all urls ending in your domain “CN=*.yourdomain.com”.)
    You can also add more than one in the -n parameter for example: “-n “CA=CARoot,O=My Organization,OU=Dev,C=Denmark”  and so on. Reference:

    • CN = commonName (for example, “CN=My Root CA”)
    • OU = organizationalUnitName (for example, “OU=Dev”)
    • O = organizationName (for example, “O=Jayway”)
    • L = localityName (for example, “L=San Francisco”)
    • S = stateOrProvinceName (for example, “S=CA”)
    • C = countryName (for example, “C=US”)
  • %1 A command line parameter and will be whatever you type in after .cmd, this will be the file name of your .cer, .pvk and .pfx files
  • -iv CARoot.pvk Issuer’s (The CA that signed it) .pvk private key file
  • -ic CARoot.cer The issuer’s certificate file
  • -b 01/01/2014 Start of the period where the certificate is valid
  • -e 01/01/2016 End of the valid period
  • -sky exchange Indicates that the key is for key encryption and key exchange
  • -eku 1.3.6.1.5.5.7.3.1 Server authentication OID (Object Identifier). Identifies that this is an SSL Server certificate.

Optional: Install server certificate directly into the LocalMachine Personal certificate store

NOTE: This will only install the .cer file into the MMC, in order to import the .pfx file you will have to do it manually.

  • -sr LocalMachine The subject’s certificate store location
  • -ss My The certificate store name that will store the output certificate

This will create a SSL certificate to use on your server and will be signed by your CARoot authority.
15. ServerSSL cmd

Run it in your Developer Command Prompt the same way as before, only this time type in a name for your certificate after the command. Mine will be: CreateSslServerCert.cmd ServerSSL
14. ServerPrompt

Again it will ask you to create your private key password, use it to verify, also give the issuers password (which is the one you chose when creating your root CA) and lastly the private key password you choose in the first window.
servercert password1servercert password2
servercert password3 servercert password4

…aaand voila you now have the ServerSSL certificate files.
16. ServerSSL Certs

If you didn’t include the -sr and -ss parameters, import the Personal Information Exchange (pfx) certificate into your Personal Certificates in the Microsoft Management Console:
Open the Personal folder right-click Certificates Import…

Again the Certificate Import Wizard pops up Go Next

This time you will Browse for the ServerSSL.pfx file
17. MMCserver

Go next Type in the password for your pfx file (The -po parameter from the batch file) Continue going next until finish and the message box with ”The import was successful” appears.

You should now see you newly imported certificate in your Personal Certificates folder
18. MMCServer2

It is trusted automatically because your CARoot that signed it is trusted and has a private key corresponding to this certificate.
19. TrustedServerCert 20 TrustedServerCertPath

You can now configure your server to use this certificate.

Client Certificates
Last but not least we will create the client certificate which can be used for client certificate authentication. We will again create a command batch file, now with the following parameters:

You may notice that this is almost identical to the server certificate parameters, all except:

  • “CN=%1” This can be whichever name you like and will be what you type in after .cmd
    You can also add more than one in the -n parameter for example: “-n “CA=%1,O=My Organization,OU=Dev,C=Denmark”  and so on. Reference:

    • CN = commonName (for example, “CN=My Root CA”)
    • OU = organizationalUnitName (for example, “OU=Dev”)
    • O = organizationName (for example, “O=Jayway”)
    • L = localityName (for example, “L=San Francisco”)
    • S = stateOrProvinceName (for example, “S=CA”)
    • C = countryName (for example, “C=US”)
  • -eku 1.3.6.1.5.5.7.3.2 The client authentication OID (Object Identifier).

Optional: install client certificate directly into the CurrentUser Personal certificate store
NOTE: This will only install the .cer file into the MMC, in order to import the .pfx file you will have to do it manually.

  • -sr CurrentUser The subject’s certificate store location
  • -ss My The certificate store name

Your batch command will create a SSL certificate to use on your client and will be signed by your CARoot authority.
21. ClientCertCmd

Execute the command batch file in the Developer Command Prompt, again with a name after the cmd. (Mine will be: CreateSslClientCert.cmd ClientCert)
22. PromptClientCert

Enter the passwords in the same pattern as the server certificate and you now have your client certificate.
23. ClientCert

You can now add it to your Current User Personal Certificate store:
In the Microsoft Management Console, click File Add/Remove Snap-in

Double-click Certificates again, but this time choose My user account
24. MMC client

Open the Personal folder Right-click Certificates Import…

Browse for your ClientCert.pfx file
25. MMC client 2

Go next Type in the password to your pfx file (-po parameter from the batch file) Continue going next until finish and ”The import was successful” message box appears.

You should now see you newly imported certificate in your Personal Certificates folder
26. MMC Client3

Again the certificate is trusted because the CARoot is trusted by Windows.
27. TrustedClient 28. TrustedClientPath

You can now configure your client to use this certificate.

I hope the whole self signed certificate creation together with the makecert.exe generation tool feels more understandable and that you can use this knowledge for your development process. For a walk-through on setting up IIS to use your self-signed certificates check out my next blog post: http://blog.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/

Check out my blog post for getting self signed certificates to work with a Windows Azure cloud service: http://blog.jayway.com/2015/04/21/configure-a-windows-azure-cloud-service-to-use-your-self-signed-certificates-for-iis-client-certificate-mapping-authentication/

Take care! =)

92 Comments

  1. Anders Poulsen

    Just used your guide this morning, thanks. The only thing missing, I think, is “How do I set up my IIS to actually USE this selv signed certificate”.

    • Elizabeth Andrews

      Great to hear that you found it useful.
      I’m actually writing my next blog post as we “speak”, on how to configure Windows IIS and application to use these self signed certificates, so keep posted ;-)

  2. Adriaan Booysen

    Nice article, was clear and simple.

    Just a further note would be to use a chained root CA to issue the server and client SSL’s and therefore you don’t have to expose the Root CA.

    makecert -n “CN=CARoot Sub” -iv CARoot.pvk -ic CARoot.cer -pe -a sha512 -len 4096 -cy authority -sv SCARoot.pvk SCARoot.cer
    -sr LocalMachine -ss Root ****Optional parameters
    pvk2pfx -pvk SCARoot.pvk -spc SCARoot.cer -pfx SCARoot.pfx

    Then change the ServerSSL and ClientSSL batch to use the chained CA.

    The same will apply for those people using Active Directory Certificate Services (ADCS)

    Regards

  3. Napoleon Tan

    I was able to use the said step for creating the certificate. It was very helpful step by step especially for people who do not know the ins and out of the SSL protocol. Good job.

  4. Prabhu

    How are you getting that ServerSSL in the MMC console for the server certificate i am getting the domain name there. I replaced the %1 with the ServerSSL and i got all the 3 files .cer,.pfx and the .pvk file with the name as ServerSSL, but in my mmc i am getting my domain name when i import the certificate.

    • Elizabeth Andrews

      I understand you got confused there Prabhu, I have changed the pictures for the server certificate to correctly display the CN name (your domain name) in both the certificate and in the MMC after import. The %1 parameter only defines the file name of the certificates (.cer, .pvk and .pfx), in this case we put in ServerSSL. The MMC doesn’t display the file name, it displays the CN name (what you wrote in your CN=”yourdomain.com” parameter). In the old pictures I had generated a certificate with the CN parameter set to “CN=ServerSSL” which is why it was displayed like so in the MMC. I apologize for the outdated pictures, please read the Server Certificate part again and hopefully it becomes clear. It sounds like you imported the certificate correctly.

  5. Prabhu

    Thanks Elizabeth for the reply.
    I had to do a mutual SSL authentication for peer-peer communication not localhost. I am doing this using Microsoft.Net using socket communication class.
    For this i have created self-signed certificates comprising of one root certificate a server certificate and a client certificate. Below are the commands i am using for generating the same.

    Root
    ->makecert.exe -n “CN=abc.com” -r -pe -a sha512 -len 4096 -cy authority -sv RootCert.pvk RootCert.cer
    ->pvk2pfx -pvk RootCert.pvk -spc RootCert.cer -pfx RootCert.pfx -po test123

    Server
    ->makecert.exe -pe -n “CN=abc.com” -a sha512 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic RootCert.cer -iv RootCert.pvk -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 -sv ServerCert.pvk ServerCert.cer
    ->pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx -po test123

    Client
    ->makecert.exe -pe -n “CN=abc.com” -a sha512 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -ic RootCert.cer -iv RootCert.pvk -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 -sv ClientCert.pvk ClientCert.cer
    ->pvk2pfx -pvk ClientCert.pvk -spc ClientCert.cer -pfx ClientCert.pfx -po test123

    After generating all the required certificates i am adding them to mmc console as you have explained above.
    To check for mutual authentication i am using X509Certificate2 class, while doing this in SslPolicyErrors i am encountering error stating RemoteCertificate name mismatch

    I know this is a long shot but can anyone give me any pointers on the same.

  6. Alif

    Hi Prabhu,

    We are also facing the same issue while testing the client and server application on two different machines.
    Please let me us know any more information how to resolve the issue.

    Thanks in Advance

    Alif

  7. Phil

    Thanks Elizabeth.
    I was looking for your follow up post on how to configure your Local IIS, but couldn’t find it. Any chance that’s still coming?

    Cheers
    :phil

  8. Ben

    I’ve just gone through all this but Chrome is still moaning at me about my SSL certificate. NET::ERR_CERT_COMMON_NAME_INVALID. I’m trying to find out why now but just thought I’d ask here and see if anyone has any hints. Thanks

  9. Ben

    It’s because I’d tried to use the same port binding on more than one site and IIS got all confused and switched my cert to not match the domain.

  10. Prabhu

    After about 10 days of all possible permutations and combinations have created a link with our team which maybe helpful for some of you people.
    https://social.msdn.microsoft.com/Forums/en-US/51149679-106b-47ac-9898-3ba9467a08aa/sslstream-mutual-authentication-client-certificate-is-null-at-server?forum=netfxbcl

  11. Ali

    I spent hours trying to solve my WCF security error and tried every single solution on the web. None is any close to this detailed and clear explanation. You are the best.

    Thanks

  12. Orlando

    Wanted to thank you for this very informative article. Best regards

  13. César Cruz

    Thanks. Fine

  14. Henk Brink

    Literally saved me hours this morning. Extremely well documented and clear explanation. Won’t soon forget. Thanks a ton Elizabeth.

  15. Harman Gill

    Great article, very well done! Just wanted to add that it will be good to add that you can export the certificate in Base64 encoding after importing it into Trusted Certification Authorities. This plain text/readable CER file is useful where X509 certificate is an element of a XML configuration file like in SAML Single Sign On applications.

  16. Gerard

    Dear Elizabeth,
    This is a “Wow!” post. Thank you soooooo much.
    I do have some tiny remarks (aka things i had to solve)
    1. “You can add these two parameters: -sr LocalMachine ^ and -ss Root ^ to the upcoming command batch file” = add to the MAKECERT command in the .CMD file (not to the end of the file)
    2. In your CMD files you have ” -po Test123″ . But during the process we enter our own passwords… (so i deleted that line)
    3. At first i got the impression that i could invent my own ” -eku” identifier. I soon learned this is not the case. The OID says something about the use of the certificate:

    Encrypting File System (1.3.6.1.4.1.311.10.3.4)
    Code Signing (1.3.6.1.5.5.7.3.3)
    Secure Email (1.3.6.1.5.5.7.3.4)
    Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    Client Authentication (1.3.6.1.5.5.7.3.2)
    Server Authentication (1.3.6.1.5.5.7.3.1)
    IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

    But YOU brought me 99% to the finishline.
    Again: great many thanks!!

  17. Mohsan Hassan

    It is very detailed walk through. really helped me in understanding CA, Server and Client Certificates.

    Very good article

  18. Amit Manchanda

    Hi Elizabeth, You wrote very well, as i am new to ssl, i was facing so much issues based on ssl certificates. but your post finally make me feel better. But it works fine on my local machine. but now i want to use it on my live server still it is not working well on live server. i am using ssl certificates with windows service .
    Please suggest me how to use ssl certificate to authenticate my server to clients and please tell me if i want to authenticate my server to clients then should i have to provide my server certificates to clients who will interact with my windows service to match

  19. Joel Sam

    can’t wait for the post for getting self signed certificates to work with a Windows Azure cloud service

  20. Sheng Jiang

    Very good article which helps me setting an IIS environment which requires client certificate!

  21. Leandros

    Excellent article! I would only add that if Visual Studio is not available you have to install “Windows Software Development Kit (SDK) for Windows 8.1”, or similar. Then, add the SDK folder to the system PATH, for example “C:\Program Files (x86)\Windows Kits\8.1\bin\x64”. And then, simply use the Windows Command Prompt (as opposed to Visual Studio Developer Command Prompt).

  22. Ashok Kumar

    Hi,

    I am using this concept and applied to one of my site this is working to chrome and IE but getting issue with Firefox as

    Secure Connection Failed

    The connection to http://www.abc.com was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

    can any one help me.

  23. Raifel

    How can we generate intermediate certificate from root certificte?

  24. Justin Andrews

    I am struggling with this process and would appreciate a bit of guidance. I have followed the guide for creating self signed certificates and am now trying to get my local IIS environment configured to use them. I am running IIS8 on a windows 8 machine.

    The domain I am using is ‘angularjsauthenticationweb.com’ and I have modified the hosts file according to the sample. The non-https urls return as expected.

    In IE both the angularjsauthenticationweb.com and http://www.angularjsauthenticationweb.com sites return with HTTPS. However, the lock does not appear in the URL bar until I press F5 to refresh the page. Once the page has been refreshed the locks appear and the cert appears to be correct (issued by CARoot and issued to matches my URL).

    In Chrome I see some different behavior. https://angularjsauthenticationweb.com/ opens up correctly with a nice green lock. However, when I add www to make the URL https://www.angularjsauthenticationweb.com I still see the green lock in the corner but the page does not return correctly and instead I receive an error message indicating:

    ‘Your client certificate is either not trusted or is invalid.’

    When I view the certificate it indicates it is issued by ‘CARoot’ and issued to the correct url ‘www.angularjsauthenticationweb.com’

    I also followed the instructions to add the CARoot cert to firefox:

    Firefox Settings ➜ Options ➜ Advanced ➜ View Certificates ➜ Authorities ➜ import your CARoot.cer file

    However, when I try to open the secure URL’s from firefox on my local PC where the site is hosted I receive the ‘Secure Connection Failed’ error with either the angularjsauthenticationweb.com or http://www.angularjsauthenticationweb.com URL’s.

    I have been through the examples several times and have been unable to resolve the issues. I must be missing something here and could really use a nudge in the right direction. Thanks!

  25. Kevin Snow

    I also just wanted to throw in that this was a really helpful article. While I was doing a lot of these things I didn’t have the level of understanding that this article provided, this really helped put things together for me. Many thanks!

  26. Dave Rubin

    Very good article. I had no problem with the first part. But, I am having a difficult time creating the Server Certificates. When I run the .cmd file, it pops up with the 1st box and I enter the key twice. The next box, I enter the key once. Then the 3rd box pops up and I enter the key again and after I hit click OK, I get an Error: Can’t load the issuer certificate (‘RDS-SERVER.cer’} Failed
    Under that is shows another Error: File not found. (Error Code = 0x80070002). Here’s my .cmd file: I tried changing the names, the dates, but still get the same error. Any help would be Greatly appreciated!
    makecert.exe ^
    -n “CN=phillytrans.homeip.net” ^
    -iv RDS-SERVER.pvk ^
    -ic RDS-SERVER.cer ^
    -pe ^
    -a sha512 ^
    -len 4096 ^
    -b 07/05/2015 ^
    -e 07/05/2039 ^
    -sky exchange ^
    -eku 1.3.6.1.5.5.7.3.1 ^
    -sv RDS-SERVER.pvk ^
    RDS-SERVER.cer

    pvk2pfx.exe ^
    -pvk RDS-SERVER.pvk ^
    -spc RDS-SERVER.cer ^
    -pfx RDS-SERVER.pfx ^
    -po Test123

  27. Thank you for such a wonderful article! I was struggling with authenticating using client certificates until I found this article.

  28. swapnil

    Thanks it is realy very useful.

  29. OutOfTouch6947

    I did part 1 of what you have here but I keep getting this error on part 2 when trying to create the SSL cert
    c:\Development\DevCerts>pvk2pfx.exe -pvk TestSSL.pvk -spc TestSSL.cer -pfx TestSSL.pfx -po IAmAPassword
    ERROR: File not found.
    (Error Code = 0x80070002).

    • OutOfTouch6947

      My fault I was not putting in the correct password of my Issuer(RootCACert) to sign this new cert.

      I did part 1 of what you have here but I keep getting this error on part 2 when trying to create the SSL cert
      c:\Development\DevCerts>pvk2pfx.exe -pvk TestSSL.pvk -spc TestSSL.cer -pfx TestSSL.pfx -po IAmAPassword
      ERROR: File not found.
      (Error Code = 0x80070002).

  30. Hi this is a good guide, however I have a linux server and a windows host which I am trying to set up using SSL/TLS. I have created a CA on the server and generated the certs needed on this machine, I then added them to the ca-certs and copied the CA and cert to the client machine. I converted the .pem cert file to .cer and added both the CA and .cer files to the trusted certs using mmc command. now when i run the server and fire up the client the handshake is not completed and the server just hangs until the connection is timed out , really struck so any advice would by appreciated.

  31. Vijaykumar

    Thank you very much for this blog…. It is very clear to understand the concept. Thanks again for this post.

  32. Stephen Drew

    Thanks Elizabeth – I have read many articles on this often infuriating subject, and yours is by far the clearest and most helpful!

  33. liza

    I find this article helpful for stand-alone servers, so I am wondering if there are topics on how to create SSL for a cluster environment? Help is appreciated

  34. Kristina

    Thank you very much madam.

  35. There is also a powershell cmdlet that does a similar thing to makecert.exe: New-SelfSignedCertificate

  36. Stu

    Thank you for the detailed article. I have one question which I am never able to answer no matter which process I find on the web to follow. It revolves around the passwords. Everyone says the same thing, just use the same password for all three (like you do at the top). But then later on there are more passwords to create. Are we literally supposed to use the exact same password in every single instance above throughout the entire article? For security, I want to use different passwords where possible, knowing that some of them need to be the same. I guess if I saw example passwords (such as pwd1, pwd1, pwd2) used in the example, it would ultra clear and finally answer that one nagging question I always have.

    Thank you.

  37. AmirReza

    Thank you very very much.
    your article is the best.
    it is very simple and complete.

  38. Marco Nardi

    You Rock! Thank you for posting this, it was very helpful.

  39. Paul Kirk

    Clear, concise and demystifies this process. Thank you!

  40. Max

    My company wants to use client certificates for clients on production. We have https certificate. As I understand we need CA root to create client certificate. Question: is it ok if I just create this CA root using makecert and install on web server only and will use it to create client certificates?

  41. Boris

    Very good article, nicely explained. Helped me very quickly.
    Thank you for writing it.

  42. Joel

    I’ve come back to this excellent post a couple of times now. (Because who can remember this stuff??)
    Really well done, thanks.

    Joel

  43. Ahmed

    Can I generate certificates on personal laptop and install the CA and Server certificate the web server and client certificate on user machines?

  44. Ricardo Casquete

    simply brilliant!!!
    Thanks heaps

  45. david

    Thanks for your efforts, Elizabeth, this is very helpful.

  46. Hi Elizabeth, thank you so much. You really saved my life. By the way, I still do not understand why we need three certs, why we cannot use only one certificate for both server and client. I would very much appreciate it if you could give me your time to answer.

  47. Edwig Huisman

    Chapeau! The very first manual on creating development certificates and client ssl certificates I ever found AND could understand and use!! Very well done! Thank you!!

  48. Philip Presser

    Hi Elizabeth, can you create a wildcard certificate using the method you described above?

  49. Cam

    Thank a lot, great help you are great.
    But i should say, this is absolute madness!! There is a real need for a new, clean slate OS with no-nonsense paradigms…

  50. Amul Patel

    Hii guyz,

    i created certificate for self-sign,CA,code signing.
    so when i am signing binary with this certificate and just checking certificate it’s displayed “A certificate’s basic constraint extension has not been observed. “.
    Pls help me.

  51. Silvio

    Dear Elizabeth,
    absolutely great! With your precise steps and detailed explanations I was able to setup SSL
    certificates and code signing certificates as well. Very, very – very well done!

    Sincerely Silvio

  52. Prakash Sajwan

    best article on this topic .Thanks :)

  53. Andrew

    Thank you!
    You saved me from bureaucrats war in my company.
    regards
    AL

  54. David

    Would have been perfect except for “Open a Visual Studio Developer Command Prompt”.
    You’re assuming we have Visual Studio.
    I simply saved the cmd file and double clicked it in WindowsExplorer.
    You might mentioned this in the instructions as an alternative.

  55. Ben

    Fantastic work. Thank you!

  56. Tim Schmelter

    Whoever got the “File not found” error. I guess you also changed the names but forgot to change the name of the file which is (in this example): CARoot.cer to f.e.: NewName.cer
    It must match: -spc NewName.cer

  57. Pavel Smirnov

    Highly usable and clear! Thank you so much!

  58. Zeki

    Thank you very much!! A very good expression.

  59. Jessica

    Thank you so much! This helped me a lot.
    I couldn’t find another source where explains the complete information Step by step…super clear!

  60. Dwargh

    Time o make new guide for Chrome 58+ with SAN

  61. Daniel

    Thank you. Thank you. Thank you

    remember folks to modify that expiry date!

  62. Mentore

    Clear as pure water. Thanks a lot, I was going through the struggle of creating certificates and I really couldn’t find something really useful. Thanks, this is really good work!

  63. Ranz

    A very well done article to read, very comprehensive but I got a problem with my Server and Client certificates that these are not valid or expire.

  64. Thank you. This was very helpful. I like the way you explain things.

  65. Came across your site, and I must say, it’s interesting. Posts like this are what makes this blog awesome, Elizabeth. I really find this information very handy. Excited to see more similar contents from you in the future. More power!

  66. Mike

    Nice article !
    I came across this free GUI tool to make signed and self-signed certificates. You can make any certificate with a few clicks…
    Itiverba Self Signed Certificate Generator : http://www.itiverba.com/en/software/itisscg.php

  67. Emeka Vin

    Thanks Elizabeth for this article!!

  68. Pierre

    Hi,
    Here is a free alternative to the deprecated makecert : http://www.itiverba.com/en/software/itisscg.php.
    It ‘s a GUI free tool for Windows and you can create self-signed certificate, CA certificate, view ASN format, eport to files, ….

    • Axel

      Thank you for the tool 🙂
      The tool is very nice and usually easy to use, also to CA and Client (Software signing) or similar.
      I created a CA and a Client certificate for software signing and it seems to work and Visual Studio 2017 like the certificate too 😀
      PVK Lenght: 16384, SHA 512

      What was your settings for CA and Client/Software or what are the best settings for CA and Software?

  69. Nate

    What is the purpose of the step where you are running pvk2pfx, while creating the root cert? I couldn’t see where the resulting CAroot.pfx was ever used for anything.

  70. Matt Duguid

    Great article, helped me quickly create some certificates for testing :)

  71. Gabriel

    Thank you. Any chances to generate EV SSL ones?

  72. Helena Makarchuk

    Thank you!

  73. Chris Salem

    Your’re awesome. This article helped me so much. Thank you!

  74. Your’re awesome. This article helped me so much. Thank you!

  75. CJL

    OMG. You are the greatest. Thank You!

  76. Arif Hossain

    Great way to simply describe a complex issue pictorially. It was very helpful! Thank you.

  77. This is a great post, thanks for sharing it.

    Anyone following these instructions should probably update the Expiration dates, and keep in mind that Chrome no longer accepts certificates without a SubjectAltName. Sadly, MakeCert cannot set that field. See https://github.com/FiloSottile/mkcert for an alternative that works across platforms.

Trackbacks for this post

  1. Creating self signed certificates with makecert.exe for development | Jayway | Jackie Chan Focus Daily
  2. Client authentication using the pfx not working * Best Wordpress Themes - Reviews
  3. Connect Azure Virtual Machines on Company Network | ArunYadav_Blog
  4. Creating Root and Client Certificate for Point-to-Site Azure VPN - Learning SharePoint
  5. Custom domains, SSL and Azure | Coding Kram – Ideasyncline
  6. Create and Sign Certificate in C# « TechAnswer
  7. How To Create Pvk File From Cer | How Give Money
  8. IIS Certificate import >> cannot be used as an SSL Certificate error | Tech
  9. Creating self signed certificates with makecert.exe for development – Geek (G) of (T) Technology

Leave a Reply