I have came across many questions regarding the generation of self-signed X.509 PKI Digital Certificates using makecert.exe. Please use the makecert.exe that comes with the Platform SDK *Feb 2003* and NOT the one that came with the .NET SDK.
With the help of Hervey, these are the steps:
- makecert -cy authority -r -n "CN=demos1.Softwaremaker.NET" -sr localmachine -ss "Trust"
- makecert -cy end -n "CN=demos1.Softwaremaker.NET SERVER" -sky exchange -sk "demos1.Softwaremaker.NET Server" -ss "My" -sr localmachine -in "demos1.Softwaremaker.NET" -ir localmachine -is "Trust"
- makecert -cy end -n "CN=demos1.Softwaremaker.NET CLIENT" -sky exchange -sk "demos1.Softwaremaker.NET Client" -ss "My" -sr localmachine -in "demos1.Softwaremaker.NET" -ir localmachine -is "Trust"
The -sk option specifies a key name, you can use any value that *SHOULD* relate to the name of the certificate. The -sk exchange option ensures that the certificate can be used to encrypt
Note that after the Step 1, a certificate is created in the "Enterprise Trust" folder in *both* the Local Machine as well as the Current User store. If you delete this certificate to recreate this scenario, then you need to:
- record the name of the private key file using the X509Certificate tool
- B. delete the certificate using mmc, from both the Local Machine (Trust)
as well as the Current User (Trust)
- C. ensure that the private key file has been removed from the machine.
To obtain a .cer file, use the certificate snap-in in the MMC console, find the certificate and export it without it's private key.
Finally, notice that Step 3 places the client certificate in the LocalMachine store; clients certs are more generally placed in the CurrentUser store.
Please take note that X.509 Digital Certs generated this way are for testing and development purposes only. It is best to *purchase* a digital certification from a TRUE Certificate Authority (CA) for production purposes. Performance is usually better with digital certificates issued from a true CA as well.