CertCreateSelfSignCertificate function (wincrypt.h)

The CertCreateSelfSignCertificate function builds a self-signed certificate and returns a pointer to a CERT_CONTEXT structure that represents the certificate.


PCCERT_CONTEXT CertCreateSelfSignCertificate(
  [in, optional] HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey,
  [in]           PCERT_NAME_BLOB                 pSubjectIssuerBlob,
  [in]           DWORD                           dwFlags,
  [in, optional] PCRYPT_KEY_PROV_INFO            pKeyProvInfo,
  [in, optional] PCRYPT_ALGORITHM_IDENTIFIER     pSignatureAlgorithm,
  [in, optional] PSYSTEMTIME                     pStartTime,
  [in, optional] PSYSTEMTIME                     pEndTime,
  [optional]     PCERT_EXTENSIONS                pExtensions


[in, optional] hCryptProvOrNCryptKey

A handle of a cryptographic provider used to sign the certificate created. If NULL, information from the pKeyProvInfo parameter is used to acquire the needed handle. If pKeyProvInfo is also NULL, the default provider type, PROV_RSA_FULL provider type, the default key specification, AT_SIGNATURE, and a newly created key container with a unique container name are used.

This handle must be an HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG cryptographic service provider (CSP).

[in] pSubjectIssuerBlob

A pointer to a BLOB that contains the distinguished name (DN) for the certificate subject. This parameter cannot be NULL. Minimally, a pointer to an empty DN must be provided. This BLOB is normally created by using the CertStrToName function. It can also be created by using the CryptEncodeObject function and specifying either the X509_NAME or X509_UNICODE_NAME StructType.

[in] dwFlags

A set of flags that override the default behavior of this function. This can be zero or a combination of one or more of the following values.

Value Meaning
By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.
By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.

[in, optional] pKeyProvInfo

A pointer to a CRYPT_KEY_PROV_INFO structure. Before a certificate is created, the CSP is queried for the key provider, key provider type, and the key container name. If the CSP queried does not support these queries, the function fails. If the default provider does not support these queries, a pKeyProvInfo value must be specified. The RSA BASE does support these queries.

If the pKeyProvInfo parameter is not NULL, the corresponding values are set in the CERT_KEY_PROV_INFO_PROP_ID value of the generated certificate. You must ensure that all parameters of the supplied structure are correctly specified.

[in, optional] pSignatureAlgorithm

A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure. If NULL, the default algorithm, SHA1RSA, is used.

[in, optional] pStartTime

A pointer to a SYSTEMTIME structure. If NULL, the system current time is used by default.

[in, optional] pEndTime

A pointer to a SYSTEMTIME structure. If NULL, the pStartTime value plus one year will be used by default.

[optional] pExtensions

A pointer to a CERT_EXTENSIONS array of CERT_EXTENSION structures. By default, the array is empty. An alternate subject name, if desired, can be specified as one of these extensions.

Return value

If the function succeeds, a PCCERT_CONTEXT variable that points to the created certificate is returned. If the function fails, it returns NULL. For extended error information, call GetLastError.


As the pEndTime must be a valid date, and is automatically generated if it is not supplied by the user, unexpected failures may easily be caused when this API is called on a leap day without accompanying app logic to compensate. For more information, please see leap year readiness.


Requirement Value
Minimum supported client Windows XP [desktop apps | UWP apps]
Minimum supported server Windows Server 2003 [desktop apps | UWP apps]
Target Platform Windows
Header wincrypt.h
Library Crypt32.lib
DLL Crypt32.dll

See also