5

I am trying to make a development certificate chain for myself for some testing for WCF. I'm following the insructions on msdn here: How to: Create Temporary Certificates for Use During Development

Unfortunately the instructions don't work. The private key is not exportable. I have even re-tried it with the "-pe" option to makecert.exe and it still doesn't work. I've tried it while running as an administrator and it doesn't work. In mmc itself when using "export" the first screen where it asks about private keys has the "yes/no" option greyed out, and a message below it that says: "The associated private key is marked as not exportable. Only the certificate can be exported."

Any advice? An updated procedure from MSDN maybe, or another one entirely? All I'm looking for is a cert to use with WCF for some basic testing. This is on Windows 8 Pro, though I doubt that matters.

Kevin Anderson
  • 6,850
  • 4
  • 32
  • 54

4 Answers4

3

See this SO answer. I used it for a WCF project a few months ago.

Create Certificate Authority

Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature). The private key is written to a file (-sv).

makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
         -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer

(^= allow batch command-line to wrap line)

Create Server Certificate

Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange). It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1). The issuing certificate is in a file (-ic), as is the key (-iv). Use a particular crypto provider (-sp, -sy).

makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
         -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
         -sp "Microsoft RSA SChannel Cryptographic Provider" ^
         -sy 12 -sv server.pvk server.cer

pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx

You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.

To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:

certutil -user -addstore Root CA.cer
Community
  • 1
  • 1
laktak
  • 57,064
  • 17
  • 134
  • 164
2

You could always use openssl to create a self-signed certificate, you'd then just import the certificate into the windows certificate store. It's pretty easy to do from the command line: 

openssl genrsa -des3 -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

The first line generates the private key and the second line the actual self-signed certificate. There's a Win32 installer available.

Jim Nutt
  • 1,736
  • 12
  • 10
  • Not a bad idea, but I was hoping for an explanation as to why makecert.exe isn't working, even with the -pe option. But as for your answer itself, I'm guessing I'd need to import privkey.pem into the trusted store, and cacert into my "regular" store? Or what? A few more instructions are needed for your answer please. – Kevin Anderson Apr 27 '13 at 03:16
  • Sorry, I've been basically off the internet for the last week or so. What you'll want to do is combine the private key and public portion of the certificate into a PKCS12 file and then import that into your trusted store. You can find instructions for doing that at http://help.globalscape.com/help/secureserver3/Generating_a_PKCS_12_private_key_public_certificate.htm – Jim Nutt May 05 '13 at 03:04
1

For me, it is still to find why option -pe is not working.

Answer given in Make exportable private key with makecert and http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development may help you.

It suggests that to output the private and then generate PFX file using certificate and private key and then import this PFX file.

Community
  • 1
  • 1
doptimusprime
  • 9,115
  • 6
  • 52
  • 90
  • That link at digitallycreated is cool, but other than the typos (not major, could workaround, with the pvk2pfx technique, they had a filename wrong), you get a SecurityNegotiationException on that it can't check the revocation status of the cert. I know you can programatically work around that too, but I want things that *work* 100%. If you can edit in what is wrong with your link's commands, I'll mark you correct, but as-is, it doesn't work. – Kevin Anderson May 01 '13 at 19:18
0

Try the SSL Diagnostics tool.

You should be able to create your development certificate for IIS without headache:

http://www.softpedia.com/get/Internet/Servers/Server-Tools/SSL-Diagnostics.shtml

And yes, the tool lets you do some diagnostics too.

Only You
  • 2,051
  • 1
  • 21
  • 34