20

Is it possible to set Key Usage attributes using makecert, or any other tool I can use to generate my own test certificates?

The reason I'm interested is that certificates used for BizTalk Server AS2 transport require a key usage of Digital Signature for signing and Data Encipherment or Key Encipherment for encryption/decryption, and I want to play around with this feature.

I see how to set enhanced key usage attributes with makecert, but not key usage.

nlawalker
  • 6,364
  • 6
  • 29
  • 46

4 Answers4

7

While you cannot make a self-signed cert and set the Enhanced Key Usage parameters using makecert I thought I'd save everyone the trouble of trying to use go down the path of using OpenSSL to generate a cert on Windows. Instead, you can use certreq (which is available if you already have makecert) and fashion your own request to set the required parameters.

For example, this sets up a cert with an EKU of Document Encryption (1.3.6.1.4.1.311.80.1) and key usages of Key Encipherment and Data Encipherment.

Create a new file, MyCert.inf:

[Version]
Signature = "$Windows NT$"

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"

[NewRequest]
Subject = "cn=me@example.com"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"

[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"

Just set the Subject to whatever you need.

Then run:

certreq -new MyCert.inf MyCert.cer

This will generate the public key (X509 cert) and install it to your Current User personal store on the machine. You can export it from there if you want.

I used this to generate a certificate for encrypting PowerShell DSC, for testing.

Example cert

For more details: https://technet.microsoft.com/en-us/library/dn296456.aspx#BKMK_New

kamranicus
  • 4,207
  • 2
  • 39
  • 57
  • with `makecert` you can use `-eku` to set extended key usage, but I was looking for a way to set two or more extended key usage. – AaA Aug 24 '17 at 09:16
  • This approach got me around the 'Invalid provider type specified' error I got when using `New-SelfSignedCertificate`. Thanks! – rsbarro Aug 09 '18 at 18:32
1

Digital Signature, Data Encipherment and Key Encipherment can be add by using the PowerShell Cmdlet New-SelfSignedCertificate. One of the New-SelfSignedCertificate Parameters is KeyUsagewhere you can add DigitalSignature, DataEncipherment and KeyEncipherment.

New-SelfSignedCertificate is described on technet (https://technet.microsoft.com/library/hh848633)

Sample:

New-SelfSignedCertificate -Type Custom -Subject "CN=sample.com" -KeyUsage DataEncipherment, KeyEncipherment, DigitalSignature -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1") -CertStoreLocation "Cert:\CurrentUser\My"

The sample covers client authentication (1.3.6.1.5.5.7.3.2) and server authentication (1.3.6.1.5.5.7.3.1) and creates the certificate at the current user store under my.

The used object identifiers in the sample are mentioned in RFC 3280 within section "4.2.1.13 Extended Key Usage".

Florian Haupt
  • 473
  • 6
  • 12
  • I wish I could give this 1000 upvotes. After a day of messing about with makecert and openssl this solved the problem for me. – Jeroen Ritmeijer Feb 25 '19 at 16:40
  • FYI, OID 1.3.6.1.5.5.7.3.2, and 1.3.6.1.5.5.7.3.3 are meant for SSL Client, and Server Authentication, the `-TextExtension` OID for data encipherment is tenuous at best and depends on the platform. Microsoft Crypto 2 file system data encipherment appears to be `1.3.6.1.4.1.311.10.3.4` – Reahreic Feb 28 '23 at 16:27
  • @Reahreic "3" ist for code signing, server authentication is "1". I've updated my answer by adding the according RFC and to be more clear on this. None of OIDs used in the sample is platform specific. FYI Extended key usage can be found within ISO/IEC 9594-8 (2001). – Florian Haupt Apr 27 '23 at 10:01
  • @Florian You're correct, I must have fat fingered that when I typed the comment. Thx for the RFC and ISO refs. I'll take a deeper look into those as I'd only been leveraging `https://oidref.com/` to locate them and was having difficulties locating a File Encipherment OID for offline file en/decipherment. – Reahreic Apr 27 '23 at 11:22
0

MakeCert doesn't let you specify key usage, only extended key usage. I think you need a CA to create a broader certificate.

You can setup your own CA with ubuntu server. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

VoteCoffee
  • 4,692
  • 1
  • 41
  • 44
-4

You can use the -eku option to specify the key usage to your certificate.

See details here: http://msdn.microsoft.com/en-us/library/aa386968(VS.85).aspx

Zé Carlos
  • 3,627
  • 5
  • 43
  • 51
  • 3
    -eku lets you set *extended* key usages, not key usages. – nlawalker Jun 09 '10 at 20:55
  • 1
    Hum, i see... In that case i suggest you try to use Openssl to generate your cert. I don´t know the answer for your concrete problem using openssl but it is a powerfull tool (better than makecert in my opinion). I suggest you to add the "openssl" flag to your question and change the title to "makecert/Openssl". Perhaps that way you will get more helpfull answers. Regard – Zé Carlos Jun 10 '10 at 11:41