Share via


Certificate Creation Tool (Makecert.exe)

The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

Makecert.exe includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.

Certificate private keys generated by this tool should never be stored in .snk files. If you need to store a private key, you should use a key container. For more on how to store a private key in a key container, see How to: Store Asymmetric Keys in a Key Container.

Warning

You should use a certificate store to securely store your certificates. The .snk files used by this tool store private keys in an unprotected manner. When you create or import a .snk file, you should be careful to secure it during use and remove it when you are done.

makecert [options] outputCertificateFile
Argument Description

outputCertificateFile

The name of the .cer file where the test X.509 certificate will be written.

Basic Options

Option Description

-n x509name

Specifies the subject's certificate name. This name must conform to the X.500 standard. The simplest method is to specify the name in double quotes, preceded by CN=; for example, "CN=myName".

-pe

Marks the generated private key as exportable. This allows the private key to be included in the certificate.

-sk keyname

Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created.

-sr location

Specifies the subject's certificate store location. Location can be either currentuser (the default), or localmachine.

-ss store

Specifies the subject's certificate store name that stores the output certificate.

-# number

Specifies a serial number from 1 to 2,147,483,647. The default is a unique value generated by Makecert.exe.

-$ authority

Specifies the signing authority of the certificate, which must be set to either commercial (for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers).

-?

Displays command syntax and a list of basic options for the tool.

-!

Displays command syntax and a list of extended options for the tool.

Extended Options

Option Description

-a algorithm

Specifies the signature algorithm. Must be either md5 (the default) or sha1.

-b mm/dd/yyyy

Specifies the start of the validity period. Defaults to the certificate's creation date.

-cy certType

Specifies the certificate type. Valid values are end for end-entity, authority for certification authority.

-d name

Displays the subject's name.

-e mm/dd/yyyy

Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT.

-eku oid[,oid]

Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate.

-h number

Specifies the maximum height of the tree below this certificate.

-ic file

Specifies the issuer's certificate file.

-ik keyName

Specifies the issuer's key container name.

-iky keytype

Specifies the issuer's key type, which must be signature, exchange, or an integer that represents a provider type. By default, you can pass 1 for an exchange key and 2 for a signature key.

-in name

Specifies the issuer's certificate common name.

-ip provider

Specifies the issuer's CryptoAPI provider name.

-ir location

Specifies the location of the issuer's certificate store. Location can be either currentuser (the default) or localmachine.

-is store

Specifies the issuer's certificate store name.

-iv pvkFile

Specifies the issuer's .pvk private key file.

-iy pvkFile

Specifies the issuer's CryptoAPI provider type.

-l link

Links to policy information (for example, a URL).

-m number

Specifies the duration, in months, of the certificate validity period.

-nscp

Includes the Netscape client-authorization extension.

-r

Creates a self-signed certificate.

-sc file

Specifies the subject's certificate file.

-sky keytype

Specifies the subject's key type, which must be signature, exchange, or an integer that represents a provider type. By default, you can pass 1 for an exchange key and 2 for a signature key.

-sp provider

Specifies the subject's CryptoAPI provider name.

-sv pvkFile

Specifies the subject's .pvk private key file. The file is created if none exists.

-sy type

Specifies the subject's CryptoAPI provider type.

Examples

The following command creates a test certificate issued by the default test root and writes it to testCert.cer.

makecert testCert.cer

The following command creates a certificate issued by the default test root and saves it to a certificate store.

makecert -ss testCertStore

The following command creates a certificate issued by the default test root and saves it to a certificate store. It explicitly places the certificate in the currentuser store.

makecert -ss testCertStore -sr currentuser

The following command creates a test certificate and writes it to textXYZ.cer, using the subject's key container and the certificate subject's X.500 name.

makecert -sk XYZ -n "CN=XYZ Company" testXYZ.cer 

The following command creates a certificate issued by the default test root, creates a .pvk file, and outputs the certificate to both the store and the file.

makecert -sv testCert.pvk -ss testCertStore testCert.cer

The following command creates a certificate issued by the default test root, creates a key container, and outputs the certificate to both the store and the file.

makecert -sk myTestKey -ss testCertStore testCert.cer

The following command creates a self signed certificate, specifies a subject name of "CN=XYZ Company", specifies start end ending validity periods, places the key in the my store, specifies and exchange key, and makes the private key exportable.

makecert -r -pe -n "CN=XYZ Company" -b 01/01/2005 -e 01/01/2010 -sky exchange -ss my

The following commands create certificates and save them to stores. The first command creates a certificate using the default test root and saves the certificate to a store. The second command creates another certificate using the newly created certificate and saves the second certificate to another store.

makecert -sk myTestKey -ss testCertStore
makecert -is testCertStore -ss anotherTestStore

The following commands create certificates and save them to stores. The first command saves the certificate to the my store. The second command creates another certificate using the newly created certificate. Because there is more than one certificate in the my store, the second command identifies the first certificate using its common name.

makecert -sk myTestKey -n "CN=XXZZYY" -ss my
makecert -is my -in "XXZZYY" -ss anotherTestStore

The following commands create certificates and save them to files and stores. The first command creates a certificate using the default test root and saves the certificate to the my store and to a file. The second command creates another certificate using the newly created testCert.cer certificate. Because there is more than one certificate in the my store, the second command uniquely identifies the first certificate using the certificate file name.

makecert -sk myTestKey -n "CN=XXZZYY" -ss my testCert.cer
makecert -is my -ic testCert.cer -ss anotherTestStore

See Also

Reference

.NET Framework Tools
Software Publisher Certificate Test Tool (Cert2spc.exe)
SDK Command Prompt