Certificate Creation Tool (Makecert.exe)
The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.
Makecert.exe includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.
makecert [options] outputCertificateFile
| Argument | Description |
|---|---|
| outputCertificateFile | The name of the .cer file where the test X.509 certificate will be written. |
Basic Options
| Option | Description |
|---|---|
| -n x509name | Specifies the subject's certificate name. This name must conform to the X.500 standard. The simplest method is to specify the name in double quotes, preceded by CN=; for example, "CN=myName". |
| -sk keyname | Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created. |
| -sr location | Specifies the subject's certificate store location. Location can be either currentuser (the default), or localmachine. |
| -ss store | Specifies the subject's certificate store name that stores the output certificate. |
| -# number | Specifies a serial Number from 1 to 2^31-1. The default is a unique value generated by Makecert.exe. |
| -$ authority | Specifies the signing authority of the certificate, which must be set to either commercial (for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers). |
| -? | Displays command syntax and a list of basic options for the tool. |
| -! | Displays command syntax and a list of extended options for the tool. |
Extended Options
| Option | Description |
|---|---|
| -a algorithm | Specifies the signature algorithm. Must be either md5 (the default) or sha1. |
| -b mm/dd/yyyy | Specifies the start of the validity period. Defaults to the certificate's creation date. |
| -cy certType | Specifies the certificate type. Valid values are end for end-entity, authority for certification authority, or both. |
| -d name | Displays the subject's name. |
| -e mm/dd/yyyy | Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT. |
| -eku oid[,oid] | Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate. |
| -h number | Specifies the maximum height of the tree below this certificate. |
| -ic file | Specifies the issuer's certificate file. |
| -ik keyName | Specifies the issuer's key container name. |
| -iky keytype | Specifies the issuer's key type, which must be signature, exchange, or an integer (such as 4). |
| -in name | Specifies the issuer's certificate common name. |
| -ip provider | Specifies the issuer's CryptoAPI provider name. |
| -ir location | Specifies the location of the issuer's certificate store. Location can be either currentuser (the default) or localmachine. |
| -is store | Specifies the issuer's certificate store name. |
| -iv pvkFile | Specifies the issuer's .pvk private key file. |
| -iy pvkFile | Specifies the issuer's CryptoAPI provider type. |
| -l link | Links to policy information (for example, a URL). |
| -m number | Specifies the duration, in months, of the certificate validity period. |
| -nscp | Includes the Netscape client-authorization extension. |
| -r | Creates a self-signed certificate. |
| -sc file | Specifies the subject's certificate file. |
| -sky keytype | Specifies the subject's key type, which must be signature, exchange, or an integer (such as 4). |
| -sp provider | Specifies the subject's CryptoAPI provider name. |
| -sv pvkFile | Specifies the subject's .pvk private key file. The file is created if none exists. |
| -sy type | Specifies the subject's CryptoAPI provider type. |
Examples
The following command creates a test certificate and writes it to testCert.cer.
makecert testCert.cer
The following command creates a test certificate and writes it to textXYZ.cer, using the subject's key container and the certificate subject's X.500 name.
makecert -sk XYZ -n "CN=XYZ Company" testXYZ.cer
See Also
.NET Framework Tools | Software Publisher Certificate Test Tool (Cert2spc.exe)