How-to use MakeCert for trusted root certification authority and SSL certificate issuance
I wasn't originally going to blog this, but my colleague, Mat, and I were discussing encryption late last night. Mat was specifically interested in its use for security traffic in the context of SQL Reporting Service, but we got massively sidetracked and ended up talking about IPSec, MAPI and all sorts of other things along the way. Interesting, none-the-less.
One thing Mat wanted to demonstrate was the use of a certificate for encrypting traffic between a SQL Reporting Server and a back-end database. Why not install a certificate server, he said. My retort was that he was probably barking if this was just for a simple demonstration.... :-) (You're not, really Mat. Honest!) Hence, one topic along our way was how to use MakeCert.exe to demonstrate SSL encryption. Rather than me show him and get it written down, what better way than to blog it. Makes sense, right? Spookily just last week I was reminding myself about how to use the makecert.exe utility (download link at the bottom) to generate a self-signed certificate for a completely different purpose. However, definitely a subject for another day and besides, I never did succeed in that particular goal :-(
MakeCert.exe allows you to (for test/dev purposes) generate both a trusted root certificate and a certificate signed by that trusted root certificate for encryption purposes (also for signature purposes, but that wasn't relevant in this context). In this way, you can create a test/dev web-site, for example, with SSL encryption enabled. Follow these simple steps if this is something you need to do. I'll follow up later with an example of how you would use these generated certificates to SSL-enable a very simple web-site under IIS 6.
From the command prompt, in the directory where you downloaded makecert.exe, enter all the green bits below on a single line (ie exclude my comments in the right-most column).
| makecert | -pe | Exportable private key |
| -n "CN=Test And Dev Root Authority" | Subject name | |
| -ss my | Certificate store name | |
| -sr LocalMachine | Certificate store location | |
| -a sha1 | Signature algorithm | |
| -sky signature | Subject key type is for signature purposes | |
| -r | Make a self-signed cert | |
| "Test And Dev Root Authority.cer" | Output filename |
You will now have a "Test And Dev Root Authority.cer" certificate on disk and a new certificate will also be installed in the LocalMachine Certificate store. If you run up a Certificates MMC at this point, you will be able to see this. However, by default, the Certificates snap-in isn't available as a short cut. Hence, use the following steps:
- Start/Run/MMC
- File/Add-Remove Snap-In
- Click Add
- Select Certificates and click Add
- Select Computer Account and hit Next
- Select Local Computer
- Click Close
- Click OK
If you expand the console out to Personal/Certificates, you will see your newly created certificate as in the screen shot below.
Now that you have a root certificate, you need to use this certificate (at least the .cer file which is still present on your hard-disk) to sign another certificate you are going to use for encryption purposes. From the command prompt, enter the following
| makecert | -pe | Exportable private key |
| -n "CN=jhoward-5160" | Full DNS name of the target machine. Note that in this example, I am running a machine with the NetBIOS name "jhoward-5160" which is not a member of a domain. Hence, the full DNS name really is this. Replace this as appropriate. e.g. CN=mycomputer.company.com | |
| -ss my | Certificate store name | |
| -sr LocalMachine | Certificate store location | |
| -a sha1 | Signature algorithm | |
| -sky exchange | Subject key type is for key-exchange purposes (i.e. Encryption) | |
| -eku 1.3.6.1.5.5.7.3.1 | Enhanced key usage OIDs. Trust me on this :-) | |
| -in "Test And Dev Root Authority" | Issuers certificate common name | |
| -is MY | Issuers certificate store name | |
| -ir LocalMachine | Issuers certificate store location | |
| -sp "Microsoft RSA SChannel Cryptographic Provider" | CryptoAPI providers name | |
| -sy 12 | CryptoAPI providers type | |
| jhoward-5160.cer | Output file - replace and name as appropriate. |
Go back to the certificates snap-in, right-click the "Test and Dev Root Authority" certificate and copy it to the "Trusted Root Certification Authorities" node. Once done, if you expand this node, and then select certificates your newly created root cert should be present.
If you whizz back to the personal certificates in this snap-in, you also note that your new certificate suitable for encryption purposes is installed, as highlighted in the screen-shot below.
If you double-click the certificate, verify that you have a private key that corresponds to this certificate, and that the intended purpose is to ensure the identity of a remote computer.
At this point, you can safely delete the "Test And Dev Root Authority" certificate from the personal certificate store in the MMC snap-in. Remember also that you can save the two .cer files on disk safely away to save you remembering all the above parameters for makecert.exe. You can simply use the "All Tasks/Import" wizard in the MMC snap-in instead (assuming that the DNS name of the target machine matches).
Download makecert.exe from microsoft.com here
Oh the fun of after-work conversations.... Hope this is useful for you