Creating X.509 Certificates using makecert.exe
Creating x.509 certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe
After downloading the tool you have to perform the following procedure:
Creating a Root Certificate Authority
makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer
Import Root Certificate Authority Certificate into Trusted Root Store
certutil.exe -f -addstore Root My_Root_CA.cer
Create Backup (export) PFX file of Root Certificate Authority Certificate
certutil.exe -privatekey -exportpfx "My Root CA" My_Root_CA.pfx
Create a server Certificate issued from the previously created Certificate Authority
makecert.exe -n "CN=Server" -pe -ss my -sr LocalMachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 Server.cer
Create Backup (Export) PFX file of Server Certificate
certutil.exe -privatekey -exportpfx "Server" Server.pfx
Create a Computer certificate issued from the previously created Certificate Authority
makecert.exe -n "CN=Computer" -pe -ss my -sr Localmachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.2 Computer.cer
Create Backup (Export) PFX file of Computer Certificate
certutil.exe -privatekey -exportpfx "Computer" Computer.pfx
OID Reference
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
Secure Email (1.3.6.1.5.5.7.3.4)
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
You must log in to post a comment.