Home > SSL > How to use makecert.exe to create a self-signed test certificate that can be used with IIS for SSL

How to use makecert.exe to create a self-signed test certificate that can be used with IIS for SSL

Problem: Special options must be specified with makecert.exe, to create a self-signed certificate that can be used with IIS (Microsoft Internet Information Server).

Note: Microsoft recommends to install and use the “Certificate Server” to generate an SSL test certificate (Q216907), instead of using makecert.exe. But using makecert is simpler.


The following command can be used to create and import a self-signed SSL test certificate:

makecert -r -pe -n “CN=www.yourserver.com” -b 01/01/2000 -e 01/01/2036 -eku -ss my -sr localMachine -sky exchange
-sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12

To install this certificate in IIS 5.0, open the IIS “Web Site Properties”, “Directory Security”, “Server Certificate…”, “Assign an existing certificate” and select the new certificate from the list.

Note: Older versions of makecert.exe do not support the “-pe” option, which makes the private key exportable. If you have an old version of makecert.exe, you can omit the “-pe” option, but then the certificate cannot be exported including the private key.

(The October 2002 version of the Platform SDK (build 3718.1) contains a new version of makecert.exe (5.131) that supports the “-pe” option. The .NET Framework SDK 1.0 of 2002-03-19 contains an old version of makecert.exe that does not support the “-pe” option).

If the private key is exportable, you can export the certificate together with the private key into a PFX (PKCS #12) file as described in Q232136.

Note: SSL server certificates for IIS are stored in the “Personal” (“My”) certificate store of the “computer account” (“localMachine”). The “Certificates” snap-in of the Microsoft Management Console (mmc.exe) must be used to manage these certificates. The normal certificate management window (accessible via “Internet Properties” / “Content” / “Certificates” or via “Control Panel” / “Users and Passwords” / “Advanced” / “Certificates”) cannot be used.

Note: To create a key with more than 512 bits, use the “-len” parameter of makecert.exe.

Author: Christian d’Heureuse (chdh@inventec.ch, www.source-code.biz)

Example: X509.MakeCert

[VB6 equivalent: X509_MakeCert]

Dim nRet As Integer
Dim strNewCertFile As String
Dim strIssuerCert As String
Dim strSubjectPubKeyFile As String
Dim strIssuerPriKeyFile As String
Dim strPassword As String
Dim nCertNum As Integer
Dim nYearsValid As Integer
Dim strDistName As String
Dim strEmail As String
strNewCertFile = “myuser.cer”
strIssuerCert = “myca.cer”
strSubjectPubKeyFile = “mykey.pub”
strIssuerPriKeyFile = “myca.epk”
strPassword = “password” ‘!!
nCertNum = &H101
nYearsValid = 4
strDistName = “CN=My User,O=Test Org,OU=Unit,C=AU,L=My Town,S=State,E=myuser@testorg.com”
strEmail = “myuser@testorg.com”

nRet = X509.MakeCert(strNewCertFile, strIssuerCert, strSubjectPubKeyFile, strIssuerPriKeyFile, _
nCertNum, nYearsValid, strDistName, strEmail, 0, strPassword, 0)
If nRet <> 0 Then
Console.WriteLine(nRet & ” ” & General.LastError())
Console.WriteLine(“Success, created X.509 cert ” & strNewCertFile)
End If

See Also:
X509.MakeCert Method

[Contents] [Index]

Categories: SSL
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: