Posted January 29, 2008 and filed under Security    tags:  ,

Recently I needed to generate certificates on several computers to participate in a lab I was working with.  I could have simply installed a Certificate Authority and issued the certificates from that server but I wanted something faster and easier.  Thankfully Microsoft has provided a tool called MakeCert.exe that can perform all of the necessary actions of a Certificate Authority server. 

After getting everything working correctly I wanted to share with this group to help make this process for anyone else out there that is interested in doing something like this.  You will need to download the MakeCert.exe application included in the Windows® Server 2003 R2 Platform SDK or attached to this blog entry. Additional MakeCert syntax information can be found at MSDN.

Creating a Root Certificate Authority

makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer

Import Root Certificate Authority Certificate into Trusted Root Store

certutil.exe -f -addstore Root My_Root_CA.cer

Create Backup (Export) PFX file of Root Certificate Authority Certificate

certutil.exe -privatekey -exportpfx "My Root CA" My_Root_CA.pfx

Create a Server Certificate issued from the previously created Certificate Authority

makecert.exe -n "CN=Server" -pe -ss my -sr LocalMachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 Server.cer

Create Backup (Export) PFX file of Server Certificate

certutil.exe -privatekey -exportpfx "Server" Server.pfx

Create a Computer certificate issued from the previously created Certificate Authority

makecert.exe -n "CN=Computer" -pe -ss my -sr Localmachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.2 Computer.cer

Create Backup (Export) PFX file of Computer Certificate

certutil.exe -privatekey -exportpfx "Computer" Computer.pfx

OID Reference

Encrypting File System (1.3.6.1.4.1.311.10.3.4)

Secure Email (1.3.6.1.5.5.7.3.4)

Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

Client Authentication (1.3.6.1.5.5.7.3.2)

Server Authentication (1.3.6.1.5.5.7.3.1)

IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

If you have any problems or questions feel free to drop me a line and I will do my best to help out.

makecert.zip

UPDATE - DEC 19th, 2008: I have posted a script to automate the syntax listed above.  Have a look and see if it works for you!

If you liked this article why not share it with others?

Kick it up to DotNetKicks.com

Comments

Add comment


(Will show your Gravatar icon)

biuquote
Loading