Where to find makecert.exe?

  • Article

Sometimes you need to create test certificates and keys for demos, tests and trials e.g. SSL certs for websites or for a Point-to-Site VPN connection to Microsoft Azure.

One of the cmd line tools you could use for creating test certificates is makecert.exe. However where to find & download it?:

makecert.exe is part of the Windows Software Development Kit (SDK) for Windows 8.1 oder Windows Software Development Kit (SDK) for Windows 10 Notes on the SDK:

  • there are various versions that follow the OS versions
  • at the time of the blog post (21th July 2015) it was 8.1 – you might want to check if there is a later one.
  • the tools within might be updated
  • you can install the SDK from the web or download its components as a whole (>700 MB)

You get makecert.exe when you install the “Windows Software Development Kit” portion, i.e. you don’t need to install everything:

image

After installing you’ll find it in the following folder:

C:\Program Files (x86)\Windows Kits\8.1\bin\x64

And you can create a Site-to-Site VPN Root Cert with e.g.:

makecert -sk exchange -r -n "CN=AdatumRootCertificate" -pe -a sha1 -len 2048 -sr LocalMachine -ss AuthRoot "c:\temp\AdatumRootCertificate.cer"

and a client Site-to-Site VPN Cert with e.g.:

makecert.exe -n "CN=AdatumClientCertificate" -pe -sk exchange -m 96 -ss My -in "AdatumRootCertificate" -is AuthRoot -a sha1 image

 

Other examples:

  1. Creates a root certificate with exportable key and places it into the Trusted root auth store of the local computer:
    makecert.exe -r -n "CN=SIL Root Cert" -pe -sr localmachine -ss AuthRoot -len 2048 -sky exchange -m 36
  2. Creates a Server SSL certificate based on the above Root cert and places it into the local computers personal store:
    makecert.exe -n "CN=SILAggregator" -in "SIL Root Cert" -eku 1.3.6.1.5.5.7.3.1 -ir localmachine -is AuthRoot -pe -sr localmachine -ss My -len 2048 -sky exchange -m 36
  3. Creates a Client Auth certificate:
    makecert.exe -n "CN=SILClientAuth" -in "SIL Root Cert" -eku 1.3.6.1.5.5.7.3.2 -ir localmachine -is AuthRoot -pe -sr localmachine -ss My -len 2048 -sky exchange -m 36
  4. Remote Desktop Gateway Sample:
    a) Creates a root certificate with exportable key and places it into the Trusted root auth store of the local computer:
    makecert.exe -r -n "CN=RootCA.mydomain.xxx" -pe -sr localmachine -ss AuthRoot -len 4096 -sky exchange -m 96 -a sha256
    b) Creates the RDG Server SSL Server certificate based on the above Root cert and places it into the local computers personal store:
    makecert.exe -n "CN=rdg.mydomain.xxx" -in "RootCA.mydomain.xxx" -eku 1.3.6.1.5.5.7.3.1 -ir localmachine -is AuthRoot -pe -sr localmachine -ss My -len 2048 -sky exchange -m 36 -a sha256
    c) Use MMC -> Certificates -> Local Computer -> Personal -> select rdg.mydomain.xxx -> Export -> include private key extended key usage and all certificates in hierarchy -> save as .pfx -> bring to RDG -> import -> In RDG manager -> bind SSL new cert.
    d) Use MMC -> Certificates -> Local Computer -> Trusted Root Certification Authorities -> select RootCA.mydomain.xxx-> Export -> No, do not export private key -> save as .cer -> bring to RDP Client -> import .cer to Trusted Root Certification Authorities -> retry RDP connection.