Idea Transcript
> .NET Framework 4 > .NET Framework Tools > Security Tools (.NET Framework)
Caspol.exe (Code Access Security Policy Tool) Cert2spc.exe (Software Publisher Certificate Test Tool) Certmgr.exe (Certificate Manager Tool)
Makecert.exe (Certificate Creation Tool) Mscorcfg.msc (.NET Framework Configuration Tool) Peverify.exe (PEVerify Tool) SecAnnotate.exe (.NET Security Annotator Tool) Setreg.exe (Set Registry Tool) SignTool.exe (Sign Tool) Sn.exe (Strong Name Tool)
This documentation is archived and is not being maintained.
Recommended Version
Makecert.exe (Certificate Creation Tool) Visual Studio 2010
Other Versions
The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair. Makecert.exe includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility. Certificate private keys generated by this tool should never be stored in .snk files. If you need to store a private key, you should use a key container. For more information about how to store a private key in a key container, see How to: Store Asymmetric Keys in a Key Container.
Caution You should use a certificate store to securely store your certificates. The .snk files used by this tool store private keys in an unprotected manner. When you create or import a .snk file, you should be careful to secure it during use and remove it when you are done.
This tool is automatically installed with Visual Studio and with the Windows SDK. To run the tool, we recommend that you use the Visual Studio Command Prompt or the Windows SDK Command Prompt (CMD Shell). These utilities enable you to run the tool easily, without navigating to the installation folder. For more information, see Visual Studio and Windows SDK Command Prompts. If you have Visual Studio installed on your computer: On the taskbar, click Start, click All Programs, click Visual Studio, click Visual Studio Tools, and then click Visual Studio Command Prompt. -orIf you have the Windows SDK installed on your computer: On the taskbar, click Start, click All Programs, click the folder for the Windows SDK, and then click Command Prompt (or CMD Shell). At the command prompt, type the following:
makecert [options] outputCertificateFile
Argument
Description
outputCertificateFile
The name of the .cer file where the test X.509 certificate will be written.
Basic Options Option
Description
-n name
Specifies the subject's certificate name. This name must conform to the X.500 standard. The simplest method is to specify the name in double quotes, preceded by CN=; for example, n "CN=myName".
-pe
Marks the generated private key as exportable. This allows the private key to be included in the certificate.
-sk keyname
Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created.
-sr location
Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine.
-ss store
Specifies the subject's certificate store name that stores the output certificate.
-# number
Specifies a serial number from 1 to 2,147,483,647. The default is a unique value generated by Makecert.exe.
-$ authority
Specifies the signing authority of the certificate, which must be set to either commercial (for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers).
-?
Displays command syntax and a list of basic options for the tool.
-!
Displays command syntax and a list of extended options for the tool.
Extended Options Option
Description
-a algorithm
Specifies the signature algorithm. algorithm must be md5, sha1 (the default), sha256, sha384, or sha512.
b mm/dd/yyy y
Specifies the start of the validity period. Defaults to the current date.
-crl
Generates a certificate relocation list (CRL) instead of a certificate.
-cy certType
Specifies the certificate type. Valid values are end for end-entity and authority for certification authority.
e mm/dd/yyy y
Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT.
eku oid[,oid… ]
Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate.
-h number
Specifies the maximum height of the tree below this certificate.
-ic file
Specifies the issuer's certificate file.
-ik keyName
Specifies the issuer's key container name.
-iky keytype
Specifies the issuer's key type, which must be one of the following: signature (which indicates that the key is used for a digital signature), exchange (which indicates that the key is used for key encryption and key exchange), or an integer that represents a provider type. By default, you can pass 1 for an exchange key or 2 for a signature key.
-in name
Specifies the issuer's certificate common name.
-ip provider
Specifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the –sp option.
-ir location
Specifies the location of the issuer's certificate store. location can be either currentuser (the default) or localmachine.
-is store
Specifies the issuer's certificate store name.
-iv pvkFile
Specifies the issuer's .pvk private key file.
-iy type
Specifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the –sy option.
-l link
Links to policy information (for example, to a URL).
-len number
Specifies the generated key length, in bits.
-m number
Specifies the duration, in months, of the certificate validity period.
-nscp
Includes the Netscape client-authorization extension.
-r
Creates a self-signed certificate.
-sc file
Specifies the subject's certificate file.
-sky keytype
Specifies the subject's key type, which must be one of the following: signature (which indicates that the key is used for a digital signature), exchange (which indicates that the key is used for key encryption and key exchange), or an integer that represents a provider type. By default, you can pass 1 for an exchange key or 2 for a signature key.
-sp provider
Specifies the subject's CryptoAPI provider name, which must be defined in the registry subkeys of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider. If both –sp and –sy are present, the type of the CryptoAPI provider must correspond to the Type value of the provider's subkey.
-sv pvkFile
Specifies the subject's .pvk private key file. The file is created if none exists.
-sy type
Specifies the subject's CryptoAPI provider type, which must be defined in the registry subkeys of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types. If both –sy and –sp are present, the name of the CryptoAPI provider must correspond to the Name value of the provider type subkey.
-tbs
Specifies the certificate or CRL file to be signed.
Examples The following command creates a test certificate issued by the default test root and writes it to testCert.cer.
makecert testCert.cer The following command creates a certificate issued by the default test root and saves it to a certificate store.
makecert -ss testCertStore The following command creates a certificate issued by the default test root and saves it to a certificate store. It explicitly places the certificate in the currentuser store.
makecert -ss testCertStore -sr currentuser The following command creates a test certificate and writes it to textXYZ.cer, using the subject's key container and the certificate subject's X.500 name.
makecert -sk XYZ -n "CN=XYZ Company" testXYZ.cer The following command creates a certificate issued by the default test root, creates a .pvk file, and outputs the certificate to both the store and the file.
makecert -sv testCert.pvk -ss testCertStore testCert.cer The following command creates a certificate issued by the default test root, creates a key container, and outputs the certificate to both the store and the file.
makecert -sk myTestKey -ss testCertStore testCert.cer The following command creates a self signed certificate, specifies a subject name of "CN=XYZ Company", specifies start end ending validity periods, places the key in the my store, specifies an exchange key, and makes the private key exportable.
makecert -r -pe -n "CN=XYZ Company" -b 01/01/2005 -e 01/01/2010 -sky exchange -ss my The following command creates a self-signed certificate that can be used to test a web application that uses Secure Sockets Layer (SSL) on a web server whose URL is www.example.com. The OID defined by the –eku option identifies that certificate as an SSL server certificate. The certificate is stored in the my store and is available at the machine (rather than user) level. The certificate's private key is exportable, and the certificate is valid from May 10, 2010 through December 22, 2011.
Makecert –r –pe –n CN="www.example.com" –b 05/10/2010 –e 12/22/2011 –eku 1.3.6.1.5.5.7.3.1 –ss my –sr localmachine -sky exchange –sp "Microsoft R
The following commands create certificates and save them to stores. The first command creates a certificate using the default test root and saves the certificate to a store. The second command creates another certificate using the newly created certificate and saves the second certificate to another store.
makecert -sk myTestKey -ss testCertStore makecert -is testCertStore -ss anotherTestStore The following commands create certificates and save them to stores. The first command saves the certificate to the my store. The second command creates another certificate using the newly created certificate. Because there is more than one certificate in the my store, the second command identifies the first certificate by using its common name.
makecert -sk myTestKey -n "CN=XXZZYY" -ss my makecert -is my -in "XXZZYY" -ss anotherTestStore The following commands create certificates and save them to files and stores. The first command creates a certificate using the default test root and saves the certificate to the my store and to a file. The second command creates another certificate using the newly created testCert.cer certificate. Because there is more than one certificate in the my store, the second command uniquely identifies the first certificate by using the certificate file name.
makecert -sk myTestKey -n "CN=XXZZYY" -ss my testCert.cer makecert -is my -ic testCert.cer -ss anotherTestStore
See Also Reference Cert2spc.exe (Software Publisher Certificate Test Tool) Visual Studio and Windows SDK Command Prompts
Other Resources .NET Framework Tools
IN THIS ARTICLE Basic Options Extended Options Examples See Also
Dev centers Windows Office Visual Studio Microsoft Azure
Learning resources
Community
Support
Microsoft Virtual Academy
Forums
Self support
Channel 9
Blogs
MSDN Magazine
Codeplex
Programs BizSpark (for startups) Microsoft Imagine (for students)
More...
United States (English)
Newsletter
Privacy & cookies
Terms of use
Trademarks
© 2018 Microsoft