Certificate Creation Tool (Makecert.exe)

The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

Makecert.exe includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.

makecert [options] outputCertificateFile
Argument Description
outputCertificateFile The name of the .cer file where the test X.509 certificate will be written.

Basic Options

Option Description
-n x509name Specifies the subject's certificate name. This name must conform to the X.500 standard. The simplest method is to specify the name in double quotes, preceded by CN=; for example, "CN=myName".
-sk keyname Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created.
-sr location Specifies the subject's certificate store location. Location can be either currentuser (the default), or localmachine.
-ss store Specifies the subject's certificate store name that stores the output certificate.
-# number Specifies a serial Number from 1 to 2^31-1. The default is a unique value generated by Makecert.exe.
-$ authority Specifies the signing authority of the certificate, which must be set to either commercial (for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers).
-? Displays command syntax and a list of basic options for the tool.
-! Displays command syntax and a list of extended options for the tool.

Extended Options

Option Description
-a algorithm Specifies the signature algorithm. Must be either md5 (the default) or sha1.
-b mm/dd/yyyy Specifies the start of the validity period. Defaults to the certificate's creation date.
-cy certType Specifies the certificate type. Valid values are end for end-entity, authority for certification authority, or both.
-d name Displays the subject's name.
-e mm/dd/yyyy Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT.
-eku oid[,oid] Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate.
-h number Specifies the maximum height of the tree below this certificate.
-ic file Specifies the issuer's certificate file.
-ik keyName Specifies the issuer's key container name.
-iky keytype Specifies the issuer's key type, which must be signature, exchange, or an integer (such as 4).
-in name Specifies the issuer's certificate common name.
-ip provider Specifies the issuer's CryptoAPI provider name.
-ir location Specifies the location of the issuer's certificate store. Location can be either currentuser (the default) or localmachine.
-is store Specifies the issuer's certificate store name.
-iv pvkFile Specifies the issuer's .pvk private key file.
-iy pvkFile Specifies the issuer's CryptoAPI provider type.
-l link Links to policy information (for example, a URL).
-m number Specifies the duration, in months, of the certificate validity period.
-nscp Includes the Netscape client-authorization extension.
-r Creates a self-signed certificate.
-sc file Specifies the subject's certificate file.
-sky keytype Specifies the subject's key type, which must be signature, exchange, or an integer (such as 4).
-sp provider Specifies the subject's CryptoAPI provider name.
-sv pvkFile Specifies the subject's .pvk private key file. The file is created if none exists.
-sy type Specifies the subject's CryptoAPI provider type.

Examples

The following command creates a test certificate and writes it to testCert.cer.

makecert testCert.cer

The following command creates a test certificate and writes it to textXYZ.cer, using the subject's key container and the certificate subject's X.500 name.

makecert -sk XYZ -n "CN=XYZ Company" testXYZ.cer 

See Also

.NET Framework Tools | Software Publisher Certificate Test Tool (Cert2spc.exe)