Creating a Certificate Using MakeCert

This article discusses the purpose of SSL/TLS server certificates and how to create a certificate that can be used for testing purposes on your own development system.

More Information

The MakeCert utility has been deprecated and we no longer recommend using it to create self-signed server certificates. Review the following articles on how to install and use OpenSSL to create a test server certificate.

OpenSSL Installation Packages for Windows
Creating a Certificate Using OpenSSL

To create a certificate for testing purposes using MakeCert, there are two steps. First, create a self-signed certificate which establishes you as your own Certification Authority (CA). Next, you use that root certificate to sign a test server certificate which will be placed in your personal certificate store. Because you’re functioning as your own certification authority, any other systems that would attempt to connect to your server would return an error indicating that the certificate was not trusted until your test root certificate was installed on their system.

Included in Microsoft’s Platform SDK is a utility called MakeCert which will allow you to easily create digital certificates. Current versions of Visual Studio include a shortcut to the command prompt which sets the environment for that toolset. To create a self-signed certificate, open an administrative command prompt and enter the following:

MakeCert -pe -n "CN=TestCA" -b 01/01/2020 -e 01/01/2025 -ss my -sr currentuser -a sha256 -sky signature -len 2048 -r "TestCA.cer"

Note: If you get an error indicating the CryptCertStrToNameW failed, this can happen when cutting and pasting this command from the browser into the command window. Try entering the command as shown manually.

This will create a file named TestCA.cer which contains the self-signed root certificate with a name of “TestCA”. The certificate will automatically installed in your own personal certificate store, however you also need to install it as a trusted root certificate. To do this, use the Management Console to manage your certificate store. This can be done from the command line by entering the command:

CertMgr.msc

Right-click on Trusted Root Certification Authorities and select All Tasks and Import to start the Certificate Import Wizard. Select the TestCA.cer file, and then choose the option to place the certificate in a specified store (do not have it automatically select the store). Press the Browse button and select Trusted Root Certification Authorities. A confirmation dialog will make sure that you want to install it; once complete, your new test root certificate has been installed.

Creating the Server Certificate

The second step is to create a server certificate. To do this, enter the following command at the command prompt:

MakeCert -pe -n "CN=localhost" -b 01/01/2020 -e 01/01/2025 -eku 1.3.6.1.5.5.7.3.1 -in "TestCA" -is my -ir currentuser -ss my -sr currentuser -a sha256 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 "Localhost.cer"

This will create a file named Localhost.cer in the current directory, and will install your certificate in your personal store. Now, with your new server certificate, you should be able to connect to your server securely. Remember, if you want a different system to connect to your server, you need to copy the TestCA.cer to that system and install it in the trusted root certificate store, otherwise the server certificate will be considered invalid.

See Also

OpenSSL Installation Packages for Windows
Creating a Certificate Using OpenSSL
Connections Fail Using Test Certificate
Local Connections Using Microsoft Edge
Microsoft Windows 10 SDK
Microsoft Windows SDK for Windows 7 and .NET Framework 4