Make a self-signed certificate

I recently received a couple of questions on how to make a self-signed certificate for server authentication. I have been using self-signed certificates for some time now, mainly in test environments. You can use self-signed certificates to easily test SSL signing for a web server or for securing Remote Desktop Connection for which I’ve been using them a lot lately.

Now, I would advise against using self-signed certificates in a production environment because of the security implications it might have since you never know who really signed the certificate and that makes a certificate much less trustworthy. However, their might be some situations in which you might consider using self-signed certificates.

So, here’s how I make a self-signed certificate.

Download and install makecert.exe
You will need makecert.exe which is included in the Windows SDK for Windows Server 2008 and .NET Framework 3.5. When you run the installer the necessary components will be downloaded based on the choices you make during the installation process. To prevent downloading the total SDK suite (which can be over 1GB) de-select all options and only select the Win32 Developer Tools for installation.

Create the certificate
Use the command below to create the certificate.

makecert.exe -r -n “CN=server.domain.com” -m 120 –sky exchange -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -pe -a sha1

The options explained:

Option Description
-r Creates a self-signed certificate.
-n x509name Name of the server. Uses the X.500 standard. Best to use the host name between double quotes preceded by CN=, for example “CN=server”.
-m number Number of months the certificate is valid. In this example 120 months=10 years.
-sky keytype Certificate type, which can only be signature or exchange.
-eku oid[,oid] Extended Key Usage. Sets the purposes for which the certificate can be used. See IOS Reference later on.
-ss store Where to store the certificate. Can be my for the personal store or Root for the trusted root store.
-sr location Physical location of the store, which can be currentuser or localmachine.
-pe Marks the private key as exportable.
-a algorithm Defines the encryption algorithm, md5 (default) or sha1.

OID Reference
Following Object Identifiers can be used when making a certificate:

  • Encrypting File System (1.3.6.1.4.1.311.10.3.4)
  • Code Signing (1.3.6.1.5.5.7.3.3)
  • Secure Email (1.3.6.1.5.5.7.3.4)
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
  • Client Authentication (1.3.6.1.5.5.7.3.2)
  • Server Authentication (1.3.6.1.5.5.7.3.1)
  • IP security IKE intermediate (1.3.6.1.5.5.8.2.2)