. NET Framework tool Certificate creation tool (makecert.exe)
The certificate creation tool generates X.509 certificates for testing purposes only. It creates a public key and private key pair for digital signature, and stores it in the certificate file. This tool also associates the key pair with the name of the specified issuer and creates an X.509 Certificate that binds the user-specified name to the public part of the key pair.
Makecert.exe contains basic options and extension options. Basic options are the most commonly used options for creating certificates. Extended options provide more flexibility.
Do not store the certificate Private Key generated by this tool in the. SNK file. To store the private key, use the key container. For more information about how to store private keys in a key container, see How to: store asymmetric keys in a key container.
Warning |
Use the certificate storage area to securely store certificates. The. SNK file used by this tool stores the private key in an unprotected manner. When creating or importing a. SNK file, ensure its security during use and remove it after use. |
Makecert [Options] outputcertificatefile
Parameters |
Description |
Outputcertificatefile |
Name of the. Cer file to be written to the X.509 Certificate. |
Basic options
Option |
Description |
-N X509name |
Specifies the Certificate Name of the topic. This name must comply with X.500 standards. The simplest way is to specify this name in double quotation marks and add the prefixCN =For example, "cn =Myname". |
-PE |
Mark the generated private key as exported. In this way, the private key can be included in the certificate. |
-Sk Keyname |
Specifies the location of the key container for the topic, which contains the private key. If the key container does not exist, the system creates one. |
-Sr Location |
Specifies the certificate storage location for the topic.LocationYesCurrentuser(Default) OrLocalmachine. |
-SS Store |
Specify the certificate storage name of the topic, and the output certificate is stored there. |
-# Number |
Specifies a serial number between 1 and 2,147,483,647. The default value is the unique value generated by makecert.exe. |
-$ Authority |
Specify the Certificate Signature permission, which must be setCommercial(Certificates used by commercial software vendors) orIndividual(Certificates used by personal software senders ). |
-? |
Displays the command syntax and basic options of this tool. |
-! |
Displays the command syntax and extended Option List of this tool. |
Extended options
Option |
Description |
- Algorithm |
Specify SignatureAlgorithm. RequiredMD5(Default) orSha1. |
-B Mm/DD/YYYY |
Specify the start time of the validity period. The default date is the certificate creation date. |
-Cy Certtype |
Specify the certificate type. Valid value isEnd(For final entities) andAuthority(For certificate authorities ). |
-D Name |
The name of the topic. |
-E Mm/DD/YYYY |
End Time of the validity period. The default value is 12/31/2039 11:59:59 GMT. |
-Eku Oid[,Oid] |
Insert the list of enhanced Key Usage Object Identifiers (OID) separated by commas into the certificate. |
-H Number |
Specify the maximum height of the tree under this certificate. |
-IC File |
Specifies the issuer's Certificate file. |
-Ik Keyname |
Specifies the name of the issuer's key container. |
-Iky Keytype |
Specifies the issuer's key type, which must beSignature,ExchangeOr a representation to provideProgramType integer. By default1Indicates the exchange key, passed in2Indicates the signature key. |
-InName |
Specifies the public name of the issuer's certificate. |
-IP Provider |
Specifies the issuer's CryptoAPI provider name. |
-IR Location |
Specifies the certificate storage location of the issuer.LocationYesCurrentuser(Default) orLocalmachine. |
-Is Store |
Specifies the name of the issuer's certificate store. |
-IV Pvkfile |
Specifies the. PVK private key file of the issuer. |
-Iy Pvkfile |
Specifies the type of the issuer's CryptoAPI provider. |
-L Link |
Link to the policy information (for example, a URL ). |
-M Number |
Specify the duration of the certificate validity period in months. |
-NSCP |
Including Netscape client authentication extensions. |
-R |
Create a self-signed certificate. |
-SC File |
Specifies the Certificate file of the topic. |
-Sky Keytype |
Specifies the key type of the topic, which must beSignature,ExchangeOr an integer that represents the provider type. By default1Indicates the exchange key, passed in2Indicates the signature key. |
-SP Provider |
Specifies the name of the CryptoAPI provider for the topic. |
-SV Pvkfile |
Specifies the. PVK private key file of the topic. If the file does not exist, the system creates one. |
-Sy Type |
Specifies the CryptoAPI provider type of the topic. |
Example
The following command creates a test certificate issued by the default test root and writes itTestcert. Cer.
Copy code
Makecert testcert. Cer
The following command creates a certificate issued by the default test root and saves it to the certificate store.
Copy code
Makecert-SS testcertstore
The following command creates a certificate issued by the default test root and saves it to the certificate store. It explicitly places the certificateCurrentuserStorage area.
Copy code
Makecert-SS testcertstore-Sr currentuser
The following command creates a test certificate using the secret container of the topic and the X.500 name of the certificate topic, and writes itTextxyz. Cer.
Copy code
Makecert-sk xyz-n "cn = XYZ Company" testxyz. Cer
The following command creates a certificate issued by the default test root and A. PVK file, and outputs the certificate to both the storage area and the file.
Copy code
Makecert-SV testcert. PVK-SS testcertstore testcert. Cer
The following command creates a certificate issued by the default test root and a key container, and outputs the certificate to both the storage zone and the file.
Copy code
Makecert-SK mytestkey-SS testcertstore testcert. Cer
The following command creates a self-signed certificate, specifying the user name as "cn = XYZ Company", specifying the start time and end time of the validity period, and placing the key inMyStorage area, specifying and exchanging keys, and enabling private keys to be exported.
Copy code
Makecert-r-pe-n "cn = XYZ Company"-B 01/01/2005-e 01/01/2010-sky exchange-SS my
The following command creates some certificates and saves them to the storage area. The first command creates a certificate using the default test root and saves it to the storage area. The second command creates another certificate using the newly created certificate and saves the second certificate to another storage zone.
Copy code
Makecert-SK mytestkey-SS testcertstoremakecert-Is testcertstore-SS anotherteststore
The following command creates some certificates and saves them to the storage area. The first command saves the certificateMyStorage area. The second command creates another certificate using the newly created certificate. BecauseMyThere are multiple certificates in the bucket, so the second command uses a public name to identify the first certificate.
Copy code
Makecert-SK mytestkey-n "cn = xxzzyy"-SS mymakecert-is my-in "xxzzyy"-SS anotherteststore
The following command creates some certificates and saves them to the file and storage area. The first command creates a certificate using the default test root and saves itMyStorage area and a file. The second command uses the newly createdTestcert. CerThe certificate creates another certificate. BecauseMyThere are multiple certificates in the bucket, so the second command uses the Certificate file name to uniquely identify the first certificate.
Copy code
Makecert-SK mytestkey-n "cn = xxzzyy"-SS my testcert. cermakecert-is my-ic testcert. cer-SS anotherteststore