CertCreateSelfSignCertificate function

The CertCreateSelfSignCertificate function builds a self-signed certificate and returns a pointer to a CERT_CONTEXT structure that represents the certificate.


PCCERT_CONTEXT WINAPI CertCreateSelfSignCertificate(
  _In_     PCERT_NAME_BLOB                 pSubjectIssuerBlob,
  _In_     DWORD                           dwFlags,
  _In_opt_ PCRYPT_KEY_PROV_INFO            pKeyProvInfo,
  _In_opt_ PCRYPT_ALGORITHM_IDENTIFIER     pSignatureAlgorithm,
  _In_opt_ PSYSTEMTIME                     pStartTime,
  _In_opt_ PSYSTEMTIME                     pEndTime,
           PCERT_EXTENSIONS                pExtensions


hCryptProvOrNCryptKey [in, optional]

A handle of a cryptographic provider used to sign the certificate created. If NULL, information from the pKeyProvInfo parameter is used to acquire the needed handle. If pKeyProvInfo is also NULL, the default provider type, PROV_RSA_FULL provider type, the default key specification, AT_SIGNATURE, and a newly created key container with a unique container name are used.

This handle must be an HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG cryptographic service provider (CSP).

pSubjectIssuerBlob [in]

A pointer to a BLOB that contains the distinguished name (DN) for the certificate subject. This parameter cannot be NULL. Minimally, a pointer to an empty DN must be provided. This BLOB is normally created by using the CertStrToName function. It can also be created by using the CryptEncodeObject function and specifying either the X509_NAME or X509_UNICODE_NAME StructType.

dwFlags [in]

A set of flags that override the default behavior of this function. This can be zero or a combination of one or more of the following values.


By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.


By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.


pKeyProvInfo [in, optional]

A pointer to a CRYPT_KEY_PROV_INFO structure. Before a certificate is created, the CSP is queried for the key provider, key provider type, and the key container name. If the CSP queried does not support these queries, the function fails. If the default provider does not support these queries, a pKeyProvInfo value must be specified. The RSA BASE does support these queries.

If the pKeyProvInfo parameter is not NULL, the corresponding values are set in the CERT_KEY_PROV_INFO_PROP_ID value of the generated certificate. You must ensure that all parameters of the supplied structure are correctly specified.

pSignatureAlgorithm [in, optional]

A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure. If NULL, the default algorithm, SHA1RSA, is used.

pStartTime [in, optional]

A pointer to a SYSTEMTIME structure. If NULL, the system current time is used by default.

pEndTime [in, optional]

A pointer to a SYSTEMTIME structure. If NULL, the pStartTime value plus one year will be used by default.

pExtensions [optional]

A pointer to a CERT_EXTENSIONS array of CERT_EXTENSION structures. By default, the array is empty. An alternate subject name, if desired, can be specified as one of these extensions.

Return value

If the function succeeds, a PCCERT_CONTEXT variable that points to the created certificate is returned. If the function fails, it returns NULL. For extended error information, call GetLastError.


Minimum supported client

Windows XP [desktop apps | Windows Store apps]

Minimum supported server

Windows Server 2003 [desktop apps | Windows Store apps]







See also