How-to use MakeCert for trusted root certification authority and SSL certificate issuance

jhoward — Wed, 02 Feb 2005 14:26:00 GMT

I wasn't originally going to blog this, but my colleague, Mat, and I were discussing encryption late last night. Mat was specifically interested in its use for security traffic in the context of SQL Reporting Service, but we got massively sidetracked and ended up talking about IPSec, MAPI and all sorts of other things along the way. Interesting, none-the-less.

One thing Mat wanted to demonstrate was the use of a certificate for encrypting traffic between a SQL Reporting Server and a back-end database. Why not install a certificate server, he said. My retort was that he was probably barking if this was just for a simple demonstration.... :-) (You're not, really Mat. Honest!) Hence, one topic along our way was how to use MakeCert.exe to demonstrate SSL encryption. Rather than me show him and get it written down, what better way than to blog it. Makes sense, right? Spookily just last week I was reminding myself about how to use the makecert.exe utility (download link at the bottom) to generate a self-signed certificate for a completely different purpose. However, definitely a subject for another day and besides, I never did succeed in that particular goal :-(

MakeCert.exe allows you to (for test/dev purposes) generate both a trusted root certificate and a certificate signed by that trusted root certificate for encryption purposes (also for signature purposes, but that wasn't relevant in this context). In this way, you can create a test/dev web-site, for example, with SSL encryption enabled. Follow these simple steps if this is something you need to do. I'll follow up later with an example of how you would use these generated certificates to SSL-enable a very simple web-site under IIS 6.

From the command prompt, in the directory where you downloaded makecert.exe, enter all the green bits below on a single line (ie exclude my comments in the right-most column).

makecert	-pe	Exportable private key
	-n "CN=Test And Dev Root Authority"	Subject name
	-ss my	Certificate store name
	-sr LocalMachine	Certificate store location
	-a sha1	Signature algorithm
	-sky signature	Subject key type is for signature purposes
	-r	Make a self-signed cert
	"Test And Dev Root Authority.cer"	Output filename

You will now have a "Test And Dev Root Authority.cer" certificate on disk and a new certificate will also be installed in the LocalMachine Certificate store. If you run up a Certificates MMC at this point, you will be able to see this. However, by default, the Certificates snap-in isn't available as a short cut. Hence, use the following steps:

Start/Run/MMC
File/Add-Remove Snap-In
Click Add
Select Certificates and click Add
Select Computer Account and hit Next
Select Local Computer
Click Close
Click OK

If you expand the console out to Personal/Certificates, you will see your newly created certificate as in the screen shot below.

Now that you have a root certificate, you need to use this certificate (at least the .cer file which is still present on your hard-disk) to sign another certificate you are going to use for encryption purposes. From the command prompt, enter the following

makecert	-pe	Exportable private key
	-n "CN=jhoward-5160"	Full DNS name of the target machine. Note that in this example, I am running a machine with the NetBIOS name "jhoward-5160" which is not a member of a domain. Hence, the full DNS name really is this. Replace this as appropriate. e.g. CN=mycomputer.company.com
	-ss my	Certificate store name
	-sr LocalMachine	Certificate store location
	-a sha1	Signature algorithm
	-sky exchange	Subject key type is for key-exchange purposes (i.e. Encryption)
	-eku 1.3.6.1.5.5.7.3.1	Enhanced key usage OIDs. Trust me on this :-)
	-in "Test And Dev Root Authority"	Issuers certificate common name
	-is MY	Issuers certificate store name
	-ir LocalMachine	Issuers certificate store location
	-sp "Microsoft RSA SChannel Cryptographic Provider"	CryptoAPI providers name
	-sy 12	CryptoAPI providers type
	jhoward-5160.cer	Output file - replace and name as appropriate.

Go back to the certificates snap-in, right-click the "Test and Dev Root Authority" certificate and copy it to the "Trusted Root Certification Authorities" node. Once done, if you expand this node, and then select certificates your newly created root cert should be present.

If you whizz back to the personal certificates in this snap-in, you also note that your new certificate suitable for encryption purposes is installed, as highlighted in the screen-shot below.

If you double-click the certificate, verify that you have a private key that corresponds to this certificate, and that the intended purpose is to ensure the identity of a remote computer.

At this point, you can safely delete the "Test And Dev Root Authority" certificate from the personal certificate store in the MMC snap-in. Remember also that you can save the two .cer files on disk safely away to save you remembering all the above parameters for makecert.exe. You can simply use the "All Tasks/Import" wizard in the MMC snap-in instead (assuming that the DNS name of the target machine matches).

Download makecert.exe from microsoft.com here

Oh the fun of after-work conversations.... Hope this is useful for you

John Howard - Senior Program Manager in the Hyper-V team at Microsoft : IIS, Information

How-to use MakeCert for trusted root certification authority and SSL certificate issuance