Table of contents
TOC
Collapse the table of content
Expand the table of content

MakeCert

Last Updated: 11/22/2016

MakeCert (Makecert.exe) is a command-line CryptoAPI tool that creates an X.509 certificate that is signed by a system test root key or by another specified key. The certificate binds a certificate name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.

MakeCert supports a large number of switches but this section only describes the basic switches that are relevant to creating a test certificate that can be used to test-sign a driver package or embed a signature in a driver file.

    MakeCert [/b DateStart] [/e DateEnd] [/len KeyLength] [/m nMonths] [/n "Name"] [/pe] [/r] [/sc SubjectCertFile] [/sk SubjectKey] [/sr SubjectCertStoreLocation] [/ss SubjectCertStoreName] [/sv SubjectKeyFile]OutputFile

Partial list of switches and arguments

/bDateStart
Specifies the start date when the certificate first becomes valid. The format of DateStart is mm/dd/yyyy.

If the /b switch is not specified, the default start date is the date when the certificate is created.

/eDateEnd
Specifies the end date when the certificate's validity period ends. The format of DateEnd is mm/dd/yyyy.

If the /e switch is not specified, the default end date is 12/31/2039.

/lenKeyLength
Specifies the length, in units of bits, of the subject's private and public keys.

If the /len switch is not specified, the default key length is 1024 bits.

/mnMonths
Specifies the number of months starting from the start date during which the certificate will remain valid.

/n "Name"
Specifies a name for the certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format.

If the /n switch is not specified, the default name of the certificate is "Joe's Software Emporium".

/pe
Configures MakeCert to make the private key that is associated with the certificate exportable.

/r
Configures MakeCert to create a self-signed root certificate.

/scSubjectCertFile
Specifies the subject's certificate file name along with the existing subject public key that is used.

/skSubjectKey
Specifies the name of the subject's key container that holds the private key. If a key container does not exist, a new key container is created. If neither /sk nor /sv switch is entered, a default key container is created and used by default.

/srSubjectCertStoreLocation
Specifies the registry location of the certificate store. The SubjectCertStoreLocation argument must be either of the following:

currentUser
Specifies the registry location HKEY_CURRENT_USER.

localMachine
Specifies the registry location HKEY_LOCAL_MACHINE.

If the /r switch is not specified along with the /s switch, currentUser is the default.

/ssSubjectCertStoreName
Specifies the name of the certificate store where the generated certificate is saved.

/svSubjectKeyFile
Specifies the name of the subject's .pvk file that holds the private key. If neither /sk nor /sv switch is entered, a default key container is created and used by default.

OutputFile
The name of the file in which the generated certificate is saved.

Comments

MakeCert supports a large number of switches. The switches described in this topic are limited to the ones that you can use to create a test certificate.

For a complete list of MakeCert parameters, see the MakeCert website and the Using MakeCert website.

A 32-bit version of the MakeCert tool is located in the bin\i386 folder of the WDK. A 64-bit version of the tool is located in the bin\amd64 and bin\ia64 folders of the WDK.

Examples

In the following example, the MakeCert command generates a self-signed test certificate named "Contoso.com(Test)," installs the test certificate in the PrivateCertStore certificate store, and creates the Testcert.cer file, which contains a copy of the test certificate.

MakeCert -r -pe -ss PrivateCertStore -n "CN=Contoso.com(Test)" testcert.cer

Send comments about this topic to Microsoft

© 2016 Microsoft