Certificate creation tool (makecert.exe)

. NET Framework tool Certificate creation tool (makecert.exe)

The certificate creation tool generates X.509 certificates for testing purposes only. It creates a public key and private key pair for digital signature, and stores it in the certificate file. This tool also associates the key pair with the name of the specified issuer and creates an X.509 Certificate that binds the user-specified name to the public part of the key pair.

Makecert.exe contains basic options and extension options. Basic options are the most commonly used options for creating certificates. Extended options provide more flexibility.

Do not store the certificate Private Key generated by this tool in the. SNK file. To store the private key, use the key container. For more information about how to store private keys in a key container, see How to: store asymmetric keys in a key container.

Warning
Use the certificate storage area to securely store certificates. The. SNK file used by this tool stores the private key in an unprotected manner. When creating or importing a. SNK file, ensure its security during use and remove it after use.

 
Makecert [Options] outputcertificatefile
 

Parameters	Description
Outputcertificatefile	Name of the. Cer file to be written to the X.509 Certificate.

Basic options

Option	Description
-N X509name	Specifies the Certificate Name of the topic. This name must comply with X.500 standards. The simplest way is to specify this name in double quotation marks and add the prefixCN =For example, "cn =Myname".
-PE	Mark the generated private key as exported. In this way, the private key can be included in the certificate.
-Sk Keyname	Specifies the location of the key container for the topic, which contains the private key. If the key container does not exist, the system creates one.
-Sr Location	Specifies the certificate storage location for the topic.LocationYesCurrentuser(Default) OrLocalmachine.
-SS Store	Specify the certificate storage name of the topic, and the output certificate is stored there.
-# Number	Specifies a serial number between 1 and 2,147,483,647. The default value is the unique value generated by makecert.exe.
-$ Authority	Specify the Certificate Signature permission, which must be setCommercial(Certificates used by commercial software vendors) orIndividual(Certificates used by personal software senders ).
-?	Displays the command syntax and basic options of this tool.
-!	Displays the command syntax and extended Option List of this tool.

Extended options

Option	Description
- Algorithm	Specify SignatureAlgorithm. RequiredMD5(Default) orSha1.
-B Mm/DD/YYYY	Specify the start time of the validity period. The default date is the certificate creation date.
-Cy Certtype	Specify the certificate type. Valid value isEnd(For final entities) andAuthority(For certificate authorities ).
-D Name	The name of the topic.
-E Mm/DD/YYYY	End Time of the validity period. The default value is 12/31/2039 11:59:59 GMT.
-Eku Oid[,Oid]	Insert the list of enhanced Key Usage Object Identifiers (OID) separated by commas into the certificate.
-H Number	Specify the maximum height of the tree under this certificate.
-IC File	Specifies the issuer's Certificate file.
-Ik Keyname	Specifies the name of the issuer's key container.
-Iky Keytype	Specifies the issuer's key type, which must beSignature,ExchangeOr a representation to provideProgramType integer. By default1Indicates the exchange key, passed in2Indicates the signature key.
-InName	Specifies the public name of the issuer's certificate.
-IP Provider	Specifies the issuer's CryptoAPI provider name.
-IR Location	Specifies the certificate storage location of the issuer.LocationYesCurrentuser(Default) orLocalmachine.
-Is Store	Specifies the name of the issuer's certificate store.
-IV Pvkfile	Specifies the. PVK private key file of the issuer.
-Iy Pvkfile	Specifies the type of the issuer's CryptoAPI provider.
-L Link	Link to the policy information (for example, a URL ).
-M Number	Specify the duration of the certificate validity period in months.
-NSCP	Including Netscape client authentication extensions.
-R	Create a self-signed certificate.
-SC File	Specifies the Certificate file of the topic.
-Sky Keytype	Specifies the key type of the topic, which must beSignature,ExchangeOr an integer that represents the provider type. By default1Indicates the exchange key, passed in2Indicates the signature key.
-SP Provider	Specifies the name of the CryptoAPI provider for the topic.
-SV Pvkfile	Specifies the. PVK private key file of the topic. If the file does not exist, the system creates one.
-Sy Type	Specifies the CryptoAPI provider type of the topic.

Example

The following command creates a test certificate issued by the default test root and writes itTestcert. Cer.

Copy code

Makecert testcert. Cer
 

The following command creates a certificate issued by the default test root and saves it to the certificate store.

Copy code

 
Makecert-SS testcertstore
 

The following command creates a certificate issued by the default test root and saves it to the certificate store. It explicitly places the certificateCurrentuserStorage area.

Copy code

 
Makecert-SS testcertstore-Sr currentuser
 

The following command creates a test certificate using the secret container of the topic and the X.500 name of the certificate topic, and writes itTextxyz. Cer.

Copy code

Makecert-sk xyz-n "cn = XYZ Company" testxyz. Cer
 

The following command creates a certificate issued by the default test root and A. PVK file, and outputs the certificate to both the storage area and the file.

Copy code

 
Makecert-SV testcert. PVK-SS testcertstore testcert. Cer
 

The following command creates a certificate issued by the default test root and a key container, and outputs the certificate to both the storage zone and the file.

Copy code

 
Makecert-SK mytestkey-SS testcertstore testcert. Cer
 

The following command creates a self-signed certificate, specifying the user name as "cn = XYZ Company", specifying the start time and end time of the validity period, and placing the key inMyStorage area, specifying and exchanging keys, and enabling private keys to be exported.

Copy code

Makecert-r-pe-n "cn = XYZ Company"-B 01/01/2005-e 01/01/2010-sky exchange-SS my
 

The following command creates some certificates and saves them to the storage area. The first command creates a certificate using the default test root and saves it to the storage area. The second command creates another certificate using the newly created certificate and saves the second certificate to another storage zone.

Copy code

 
Makecert-SK mytestkey-SS testcertstoremakecert-Is testcertstore-SS anotherteststore
 

The following command creates some certificates and saves them to the storage area. The first command saves the certificateMyStorage area. The second command creates another certificate using the newly created certificate. BecauseMyThere are multiple certificates in the bucket, so the second command uses a public name to identify the first certificate.

Copy code

Makecert-SK mytestkey-n "cn = xxzzyy"-SS mymakecert-is my-in "xxzzyy"-SS anotherteststore
 

The following command creates some certificates and saves them to the file and storage area. The first command creates a certificate using the default test root and saves itMyStorage area and a file. The second command uses the newly createdTestcert. CerThe certificate creates another certificate. BecauseMyThere are multiple certificates in the bucket, so the second command uses the Certificate file name to uniquely identify the first certificate.

Copy code

 
Makecert-SK mytestkey-n "cn = xxzzyy"-SS my testcert. cermakecert-is my-ic testcert. cer-SS anotherteststore