Makecert.exe (Kind Of) SAN and Wildcard certificate


Disclaimer - Makecert is deprecated and following will only work for testing in IE as this is not true SAN certificate.

 

I often run into issue while working in the Test VMs and expired certificates. This article talks about how to generate self-signed root certificate and generate new certificate signed by the root. However what about what if you just want a certificate that is self-signed and just works? Well we can use makecert but unfortunately it is quite a challenge to figure it out where to get this tool and is it worth the effort?

Simpler solution is below command to create your own wild card certificate (*.contoso.com) available for you to download the certificate!

makecert -r -pe -n "CN=*.contoso.com" -b 01/01/2010 -e 01/01/2100 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

Above certificate has EKU set for Server and Client Authentication, Code Signing and Secure Email so hopefully it should work for most common purposes. 

If you want certificate with other domain name’s i.e. Subject Alternative Name (SAN) in your VM/Test configuration for *.contoso.com and *.fabrikam.com

makecert -r -pe -n "CN=*.fabrikam.com, CN=*.contoso.com" -b 01/01/2010 -e 01/01/2100 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

Remember to import this certificate in your “Trusted Root Certification Authorities”. Password to import the certificate is:  Pa$$w0rd

 You can distribute this certificate via Group policy in your domain.

  1. Open the Group Policy object (GPO) that you want to edit.
  2. In the console tree, Expand to following path“Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities”
  3. On the Action menu, point to All Tasks, and then click Import.

    This starts the Certificate Import Wizard, which guides you through the process of importing a root certificate and installing it as a trusted root certification authority (CA) for this GPO.

Please don’t use this certificate in production!

Thanks,

Uday

STAR.Contoso.comAndStar.fabrikam.com.pfx


Comments (2)
  1. Uday Pandya says:

    Makecert is deprecated and above will only work for testing in IE as this is not true SAN certificate

  2. Anonymous says:

    Does SAN cert actually works? The names are both in "Subject" as "CN=*.fabrikam.com", instead of "Subject Alternative Name" certificate as "DNS Names=*.fabrikam.com" …

Comments are closed.

Skip to main content