How to use makecert.exe to create a self-signed test certificate that can be used with IIS for SSL
Problem: Special options must be specified with makecert.exe, to create a self-signed certificate that can be used with IIS (Microsoft Internet Information Server).
Note: Microsoft recommends to install and use the “Certificate Server” to generate an SSL test certificate (Q216907), instead of using makecert.exe. But using makecert is simpler.
The following command can be used to create and import a self-signed SSL test certificate:
makecert -r -pe -n “CN=www.yourserver.com” -b 01/01/2000 -e 01/01/2036 -eku 126.96.36.199.188.8.131.52.1 -ss my -sr localMachine -sky exchange
-sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12
To install this certificate in IIS 5.0, open the IIS “Web Site Properties”, “Directory Security”, “Server Certificate…”, “Assign an existing certificate” and select the new certificate from the list.
Note: Older versions of makecert.exe do not support the “-pe” option, which makes the private key exportable. If you have an old version of makecert.exe, you can omit the “-pe” option, but then the certificate cannot be exported including the private key.
(The October 2002 version of the Platform SDK (build 3718.1) contains a new version of makecert.exe (5.131) that supports the “-pe” option. The .NET Framework SDK 1.0 of 2002-03-19 contains an old version of makecert.exe that does not support the “-pe” option).
If the private key is exportable, you can export the certificate together with the private key into a PFX (PKCS #12) file as described in Q232136.
Note: SSL server certificates for IIS are stored in the “Personal” (“My”) certificate store of the “computer account” (“localMachine”). The “Certificates” snap-in of the Microsoft Management Console (mmc.exe) must be used to manage these certificates. The normal certificate management window (accessible via “Internet Properties” / “Content” / “Certificates” or via “Control Panel” / “Users and Passwords” / “Advanced” / “Certificates”) cannot be used.
Note: To create a key with more than 512 bits, use the “-len” parameter of makecert.exe.
Dim nRet As Integer
Dim strNewCertFile As String
Dim strIssuerCert As String
Dim strSubjectPubKeyFile As String
Dim strIssuerPriKeyFile As String
Dim strPassword As String
Dim nCertNum As Integer
Dim nYearsValid As Integer
Dim strDistName As String
Dim strEmail As String
strNewCertFile = “myuser.cer”
strIssuerCert = “myca.cer”
strSubjectPubKeyFile = “mykey.pub”
strIssuerPriKeyFile = “myca.epk”
strPassword = “password” ‘!!
nCertNum = &H101
nYearsValid = 4
strDistName = “CN=My User,O=Test Org,OU=Unit,C=AU,L=My Town,S=State,Efirstname.lastname@example.org”
strEmail = “email@example.com”
nRet = X509.MakeCert(strNewCertFile, strIssuerCert, strSubjectPubKeyFile, strIssuerPriKeyFile, _
nCertNum, nYearsValid, strDistName, strEmail, 0, strPassword, 0)
If nRet <> 0 Then
Console.WriteLine(nRet & ” ” & General.LastError())
Console.WriteLine(“Success, created X.509 cert ” & strNewCertFile)