Make a digital certificate with makecert

You can use the certificate generation tool makecert.exe in mssdk6.0.

 

Step 1: generate a self-Signed root certificate (issuer, issuer ).

> Makecert-n "cn = root"-r-SV rootissuer. PVK rootissuer. Cer

 

In this case, a prompt box is displayed. First, set the private key protection password for the rootissuer. PVK file;

 

Then, enter the password again and use the private key (in the rootissuer. PVK file) to encrypt the Public Key (in the rootissuer. Cer file.

 

Step 2: Use this certificate to issue a subcertificate (user, subject ).

> Makecert-n "cn = Child"-IV rootissuer. PVK-ic rootissuer. cer-SV childsubject. PVK childsubject. Cer

 

In this case, a prompt box is displayed to set a protection password for the private key file childsubject. pvk of the subcertificate;

 

Then, enter the private key of the subcertificate (in childsubject. PVK) to protect the public key of the subcertificate (in childsubject. CER ).

 

Next, you will be prompted to enter the root certificate private key (in rootissuer. PVK) password to issue the entire sub-Certificate (Public Key and user information ).

 

If you want to issue more sub-certificates, similarly, use this certificate to issue a lower-level certificate, provided that the childsubject certificate can also be used for issuing (as an issuer) purposes.

 

Note:

(1) If you need an interactive certificate for secure communication, add the option-Sky exchange;

(2) If you need a signature certificate to issue a certificate or binary file, add the option-Sky Signature.

(3) If you need a client certificate to indicate your identity or Personal Information Protection (email), the E field in Option-N is indispensable.

Example:-N "cn = company name, E = E-MAIL address, O = Organization Name, ou = Organization Unit, c = Country, S = province (state), P = county seat"

 

Other auxiliary tools:

1) convert the Public Key Certificate Format to SPC. Cert2spc.exe

> Cert2spc testroot. Cer testroot. SPC

. SPC indicates the software pulisher cerificate ).

 

2) combine the Public Key Certificate and private key into a pfx Certificate file. Pvk2pfx.exe

> Pvk2pfx-PVK testroot. PVK-SPC testroot. SPC-pfx testroot. pfx

Enter testroot. PVK protection password to merge. PVK and. SPC file, if you do not set the testroot to be merged. pfx protection password, this protection password and the input file testroot. the PVK password is the same. (Note: You can directly obtain the SPC file from the CER file ).

 

3) signature tool. Signtool.exe

Binary File digital signature. To ensure the integrity of the binary file, digital signature is a good method.

 

Run the following command to start the file signature tool wizard with a graphical interface:

> Signtool wizard

 

The following is a command line Signature:

> Signtool sign/F "pfx file full path"/P "pfx File Protection password"/t "http://timestamp.verisign.com/scripts/timstamp.dll"/D "description of this signature" Description of the signed Program full path"