The MakeCert utility creates an X.509 certificate, signed by the test root key or other specified key, that binds your name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.
MakeCert [basic options | extended options] outputFile
outputFile
Name of the file where the certificate will be written. May be omitted if the certificate is not to be written to a file.
For the latest documentation on Makecert, see the CryptoAPI Tools section of the MSDN Library.
For more information on application security, see the Platform SDK, Security section of the MSDN Library.
MakeCert includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility. The options for MakeCert are also divided into three functional groups:
The following options are for SPC file, private key, and certificate store technology.
Extended option | Internet Explorer version | Description |
-a (3.02) or –a algorithm (4.0 and later) | 3.02 or later | 3.02: Indicates that the SHA1 hash algorithm should be used. MD5 is the default. 4.0: Hash algorithm. Must be set to either SHA1 or MD5 (default). |
-b dateStart | 3.02 or later | Date the certificate first becomes valid. The default is when the certificate is created. The format of dateStart is mm/dd/yyyy. |
-c | 3.02 only | Certificate will be used by commercial software publishers. |
-c f | 3.02 only | Certificate will be used by commercial software publishers who have met the minimum financial criteria. |
-t:types | 3.02 only | Certificate type. This parameter can be E for end-entity, C for certification authority, or both. |
-cy certificateTypes | 4.0 and later | Certificate type. Can be end for end-entity, authority for certification authority, or both. |
-d displayName | 3.02 or later | Display name of the subject. |
-e dateEnd | 3.02 or later | Date when the validity period ends. The default is the year 2039. |
-eku OID1, OID2… | 4.0 and later | Inserts a list of one or more comma-separated, enhanced key usage object identifiers (OIDs) into the certificate. For example, -eku 1.3.6.1.5.5.7.3.2 inserts the client authentication OID. For definitions of allowable OIDs, see the Wincrypt.h file in the Microsoft® CryptoAPI 2.0. |
-g | 3.02 only | Creates a glue certificate. |
-h numChildren | 3.02 or later | Maximum height of the tree below this certificate. |
-i | 3.02 only | Certificate will be used by individual software publishers. |
-l: policyLink (3.02) or –l policyLink (4.0 and later) | 3.02 or later | Link to SPC agency policy information (for example, a URL). |
-d: nMonths | 3.02 only | Duration of the validity period. |
-m nMonths | 4.0 and later | Duration of the validity period. |
-m | 3.02 only | The MD5 hash algorithm should be used. This is the default. |
-n: name (3.02) or –n name (4.0 and later) | 3.02 or later | Name for the publisher's certificate. This name must conform to the X.500 standard. The simplest method is to use "CN=MyName" format. For example: -n "CN=Test". |
-n | 3.02 only | The Netscape client authentication extension should be included. |
-nscp | 4.0 and later | The Netscape client authentication extension should be included. |
-r | 3.02 and later | Creates a self-signed certificate. |
-u: subjectCertFile | 3.02 only | Certificate file name with the existing subject public key to be used. |
-u: subjectKey | 3.02 only | Location of the subject's key container which holds the private key. If a key container does not exist, one is created. |
-sc subjectCertFile | 4.0 and later | Certificate file name with the existing subject public key to be used. |
-sk subjectKey | 4.0 and later | Location of the subject's key container which holds the private key. If a key container does not exist, one is created. If neither the -sk or -sv option is used, a default key container is created and used by default. |
-sky subjectKeySpec | 4.0 and later | Subject's key specification, which must be one of three possible values: 1. Signature (AT_SIGNATURE key specification) 2. Exchange (AT_KEYEXCHANGE key specification) 3. An integer, such as 3. See notes on key specifications below. |
-sp subjectProviderName | 3.02 and later | CryptoAPI provider for subject. The default is the user's provider. See the CryptoAPI 2.0 documentation in the MSDN Library for details on CryptoAPI providers. |
-sr subjectCertStoreLocation | 4.0 and later | Registry location of the subject's certificate store, which must be either localMachine (registry key HKEY_LOCAL_MACHINE) or currentUser (registry key HKEY_CURRENT_USER). currentUser is the default. |
-ss subjectCertStoreName | 4.0 and later | Name of the subject's certificate store where the generated certificate will be stored. |
-k: subjectKeyFile | 3.02 only | Location of the subject's .pvk file. |
-sv subjectKeyFile | 4.0 and later | Name of the subject's .pvk file. If neither the -sk or -sv option is used, a default key container is created and used by default. |
-sy nSubjectProviderType | 4.0 and later | CryptoAPI provider type for subject. The default is PROV_RSA_FULL. See the CryptoAPI 2.0 documentation in the MSDN Library for details on CryptoAPI provider types. |
-#: serialNumber (3.02) or -# serialNumber (4.0 and later) | 4.0 and later | Serial number of the certificate. The maximum value is 2^31. The default is a value generated by the utility that is guaranteed to be unique. |
-$ certificateAuthority | 4.0 and later | Type of certification authority, which must be set to either commercial (for certificates to be used by commercial software publishers) or individual (for certificates to be used by individual software publishers). |
-? | 3.02 and later | Displays the basic options. |
-! | 4.0 and later | Displays the extended options. |
Note If the -sky key specification option is used in Microsoft® Internet Explorer version 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Since most users have either an AT_SIGNATURE key or AT_KEYEXCHANGE key, this option does not need to be used in most cases.
The following options are only for software publisher certificate (SPC) files and private key technology.
SPC/private key option | Internet Explorer version | Description |
-i: issuerCertificate | 3.02 only | Location of the issuer's certificate. |
-ic issuerCertFile | 3.02 and later | Location of the issuer's certificate. |
-s: issuerKeyFile | 3.02 only | Location of the issuer's key container. The default is the test root key. |
-ik issuerKey | 4.0 and later | Location of the issuer's key container. The default is the test root key. |
-k: keySpec | 3.02 only | Issuer's key specification. Can be either S for a signature key (default) or E for a key-exchange key. |
-iky issuerKeySpec | 4.0 and later | Issuer's key specification, which must be one of three possible values: 1. Signature (AT_SIGNATURE key specification) 2. Exchange, (AT_KEYEXCHANGE key specification) 3. An integer, such as 3. See notes on key specifications below. |
-x: providerName | 3.02 only | CryptoAPI provider for issuer. The default is the user's provider. See the CryptoAPI 2.0 documentation in the MSDN Library for details on CryptoAPI providers. |
-ip issuerProviderName | 4.0 and later | CryptoAPI provider for issuer. The default is the user's provider. See the CryptoAPI 2.0 documentation in the MSDN Library for details on CryptoAPI providers. |
-iv issuerKeyFile | 3.02 or later | Issuer's private-key file. The default is the test root. |
-y: nProviderType | 3.02 only | CryptoAPI provider type for issuer. The default is PROV_RSA_FULL. See the CryptoAPI 2.0 documentation in the MSDN Library for details on CryptoAPI provider types. |
-iy nIssuerProviderType | 4.0 and later | CryptoAPI provider type for issuer. The default is PROV_RSA_FULL. See the CryptoAPI 2.0 documentation in the MSDN Library for details on CryptoAPI provider types. |
Note If the -iky key specification option is used in Internet Explorer 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Since most users have either an AT_SIGNATURE key or AT_KEYEXCHANGE key, this option does not need to be used in most cases.
The following options are for certificate store technology only. These options are supported with Internet Explorer 4.0 and later.
Certificate store option | Internet Explorer version | Description |
-ic issuerCertFile | 4.0 and later | File containing the issuer's certificate. MakeCert will search in the certificate store for a certificate with an exact match. |
-in issuerNameString | 4.0 and later | Common name of the issuer's certificate. MakeCert will search in the certificate store for a certificate whose common name includes issuerNameString. |
-ir issuerCertStoreLocation | 4.0 and later | Registry location of the issuer's certificate store, which must be either localMachine (registry key HKEY_LOCAL_MACHINE) or currentUser (HKEY_CURRENT_USER). currentUser is the default. |
-is issuerCertStoreName | 4.0 and later | Issuer's certificate store that includes the issuer's certificate and its associated private key information. If there is more than one certificate in the store, the user must uniquely identify it with the -ic or -in option. If the certificate in the certificate store is not uniquely identified, MakeCert will fail. |
The following examples create test certificates with MakeCert, using options available with Microsoft® Internet Explorer version 4.0 or later:
MakeCert myNew.cer
MakeCert –ss myNewStore
MakeCert –sv myNew.pvk –ss myNewStore myNew.cer SignCode -v myNew.pvk -spc myNew.cer -t http://timestamp.verisign.com/scripts/timestamp.dll myControl.exe
MakeCert –sk myNewKey –ss myNewStore myNew.cer
MakeCert –sk myNewKey –ss myNewStore MakeCert –is myNewStore –ss anotherStore
MakeCert –sk myNewKey –n "CN=XXZZYY" –ss my MakeCert –is my –in "XXZZYY" –ss anotherStore
MakeCert –sk myNewKey –n "CN=XXZZYY" –ss my myNew.cer MakeCert –is my –ic myNew.cer –ss anotherStore
MakeCert –sk myNewRootKey –r –ss myNewRoot SignCode –s myNewRoot myControl.exe
Note When SignCode uses a certificate in a store for signing, it will also build a certificate chain from the signing certificate to a root. All the certificates in the certificate chain must be in any of the MY, ca, or Root certificate stores. In this case, myNewRoot is in the ca certificate store.
MakeCert –sk myNewRootKey –r –ss ca myNewRoot.cer MakeCert –is ca –ic myNewRoot.cer –ss myNewSign SignCode –s myNewSign myControl.exe