MakeCert (Makecert.exe) is a command-line CryptoAPI tool that creates an X.509 certificate that is signed by a system test root key or by another specified key. The certificate binds a certificate name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.
MakeCert supports a large number of switches but this section only describes the basic switches that are relevant to creating a test certificate that can be used to test-sign a driver package or embed a signature in a driver file.
MakeCert [/b DateStart] [/e DateEnd] [/len KeyLength] [/m nMonths] [/n "Name"] [/pe] [/r] [/sc SubjectCertFile] [/sk SubjectKey] [/sr SubjectCertStoreLocation] [/ss SubjectCertStoreName] [/sv SubjectKeyFile]OutputFile
- /b DateStart
Specifies the start date when the certificate first becomes valid. The format of DateStart is mm/dd/yyyy.
If the /b switch is not specified, the default start date is the date when the certificate is created.
- /e DateEnd
Specifies the end date when the certificate's validity period ends. The format of DateEnd is mm/dd/yyyy.
If the /e switch is not specified, the default end date is 12/31/2039.
- /len KeyLength
Specifies the length, in units of bits, of the subject's private and public keys.
If the /len switch is not specified, the default key length is 1024 bits.
- /m nMonths
Specifies the number of months starting from the start date during which the certificate will remain valid.
- /n "Name"
Specifies a name for the certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format.
If the /n switch is not specified, the default name of the certificate is "Joe's Software Emporium".
Configures MakeCert to make the private key that is associated with the certificate exportable.
Configures MakeCert to create a self-signed root certificate.
- /sc SubjectCertFile
Specifies the subject's certificate file name along with the existing subject public key that is used.
- /sk SubjectKey
Specifies the name of the subject's key container that holds the private key. If a key container does not exist, a new key container is created. If neither /sk nor /sv switch is entered, a default key container is created and used by default.
- /sr SubjectCertStoreLocation
Specifies the registry location of the certificate store. The SubjectCertStoreLocation argument must be either of the following:
Specifies the registry location HKEY_CURRENT_USER.
Specifies the registry location HKEY_LOCAL_MACHINE.
If the /r switch is not specified along with the /s switch, currentUser is the default.
- /ss SubjectCertStoreName
Specifies the name of the certificate store where the generated certificate is saved.
- /sv SubjectKeyFile
Specifies the name of the subject's .pvk file that holds the private key. If neither /sk nor /sv switch is entered, a default key container is created and used by default.
The name of the file in which the generated certificate is saved.
MakeCert supports a large number of switches. The switches described in this topic are limited to the ones that you can use to create a test certificate.
A 32-bit version of the MakeCert tool is located in the bin\i386 folder of the WDK. A 64-bit version of the tool is located in the bin\amd64 and bin\ia64 folders of the WDK.
In the following example, the MakeCert command generates a self-signed test certificate named "Contoso.com(Test)," installs the test certificate in the PrivateCertStore certificate store, and creates the Testcert.cer file, which contains a copy of the test certificate.
MakeCert -r -pe -ss PrivateCertStore -n "CN=Contoso.com(Test)" testcert.cer