18

I am using Windows 10. I don't have the makecert.exe, which I came to know when I tried to run commands to generate certificates like makecert.exe
I get error :

'makecert' is not recognised as an internal or external command, operable program or batch file.

and I already installed windows SDK for windows 10.

alex.pulver
  • 2,107
  • 2
  • 31
  • 31
Te7a
  • 193
  • 1
  • 1
  • 5

6 Answers6

23

It may be installed but it's probably just not in the path.

For instance, I can find it under C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 but I can also find another one under C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86. Exact versions in the path will vary based on which exact version of the SDK you've installed.

Neither of those paths are in my PATH environment variable though (and I don't remember explicitly removing it after installing the SDK), so I can't just say makecert at the command line, I have to give a full path to the one I want to run.

A handy way to try to find where you have copies is the where command. Here I've limited my search to the SDKs directory but you can search your whole hard drive if you want:

C:\Users\Damien>where /R "C:\Program Files (x86)\Windows Kits" makecert.*
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\arm64\makecert.exe
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\makecert.exe
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\makecert.exe
Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • firstly thank you for your answer, but in this path i don't find the makecert. !! – Te7a Jul 19 '18 at 09:08
  • 1
    @Te7a - do you *have* these paths, (or similar, accounting for version differences)? If so, do they contain *anything*? If they contain some programs but not makecert specifically, I'd look to re-run the SDK installer and see if you've missed out some optional components that turn out to include makecert. – Damien_The_Unbeliever Jul 19 '18 at 09:12
  • "Windows Kits" is not part of a standard Windows 10 installation. – OMA Nov 08 '20 at 22:26
  • Thank you, I've added those paths to my previous path list – XouDo Oct 20 '22 at 14:29
12

Currently makecert is depreciated, the new way with powershell 'New-SelfSignedCertificate' (as admin), for example:

1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256'  -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'

2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -FriendlyName "MyCert" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256" -NotAfter (Get-Date).AddYears(10)

3.- We copy the thumbprint returned by the last command

4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:443

5.- We associate the new certificate with any ip and port 443 (the appid value does not matter, is any valid guid):
netsh http add sslcert ipport=0.0.0.0:443 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint

6.- Now, you must open MMC (Certificates Local Computer) and drag and drop the 'TestRootCA' certificate from your 'Personal/Certificates' subfolder to 'Trusted Root Certification Authorities/Certificates' subfolder.

These commands also resolve the error ERR_CERT_WEAK_SIGNATURE_ALGORITHM returned later by Google Chrome because the certificate is created with SHA1 instead of SHA256

beer73
  • 306
  • 3
  • 10
  • This worked great! Thank you. Can you cite where makecert.exe is listed as deprecated? – slolife Jan 15 '21 at 00:43
  • @slolife, see https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert – BuvinJ Jan 22 '21 at 13:48
  • Note `New-SelfSignedCertificate` reqiures PowerShell v.4 or newer (which equates to an out of the box Windows v8.1 / Windows Server 2012 R2 or later). – BuvinJ Jan 22 '21 at 13:59
  • Fantastic, worked! – m1m1k Sep 29 '21 at 18:48
  • This works great until point 6. I can't find the folder to drag into MMC. Where to find it? – Lars Ljungberg Aug 25 '22 at 14:42
  • For use snap certificates in MMC see https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in or you can also search directly "certlm.msc". – beer73 Jan 18 '23 at 20:51
8

If you have Fiddler installed, Fiddler comes with makecert.exe as well. It is located at

C:\Users\<yourwindowslogin>\AppData\Local\Programs\Fiddler\makecert.exe
Jeson Martajaya
  • 6,996
  • 7
  • 54
  • 56
7

This is how I installed the makecert.exe file

(Note: I Installed Windows 10 SDK first, but, this version does not install makecert.exe in the "bin" directory. No problem!)

  1. Downloaded the Windows SDK version 7.1 ISO from https://www.microsoft.com/en-us/download/details.aspx?id=8279
  2. The name of the ISO I downloaded is GRMSDK_EN_DVD.iso
  3. Navigate to download directory and MOUNT this ISO (there is software that makes mounting in windows 7/10 easy)
  4. Once mounted, navigate to directory in ISO called "Setup\WinSDKTools" you will see two files in this directory. One is "WinSDKTools_x86.msi" and the other is "cab1.cab"
  5. Copy these two files to an empty directory on your hard drive
  6. From your hard drive go to the directory where you copied these files and right click on "WinSDKTools_x86.msi" then chose Install
  7. Look on your hard drive for a newly created directory at "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin"
  8. Makecert.exe should now be in this new directory along with some other applications and folders
  9. Profit?
Rob
  • 45,296
  • 24
  • 122
  • 150
Seonji
  • 71
  • 1
  • 1
  • Thanks! This worked perfectly, except I had to guess which of the three ISO files offered I should download, "GRMSDK_EN_DVD.iso", "GRMSDKIAI_EN_DVD.iso" or "GRMSDKX_EN_DVD.iso" (not straightforward at all, why does Microsoft make you choose between these 3 cryptically named files as if you had to know what those names meant?!). I just went with the first ISO and, surely enough, Makecert.exe was there, great! But, why is it only present in the SDK for Windows 7? It hasn't ever been updated since more than a decade ago?! – OMA Nov 08 '20 at 22:39
  • Makecert.exe went from being deprecated, to no longer being included in the SDK at all. The new solution is to use PowerShell (as noted in other answers). If you need it, you'll have to acquire a legacy copy of the SDK. I believe the last one it came with was in the `10.0.18362.0` kit. – BuvinJ Jan 22 '21 at 13:43
2

I know it's too late now, but I solved this problem by installing an old Windows 10 SDK version:

Lucas Lins Pereira
  • 46
  • 2
1

i just download this file and move it to c:/winwdows/system32

https://onedrive.live.com/?authkey=%21AKVU0sMEK182FF0&id=26E0E257BE82A39E%2127335&cid=26E0E257BE82A39E

then run my command like this in command prompt:

Makecert -r -pe -n CN="MycomputerCertificate" -b 01/01/2020 -e 12/22/2030 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

hossein andarkhora
  • 740
  • 10
  • 23