MakeCert
MakeCert (Makecert.exe) is a command-line CryptoAPI tool that creates an X.509 certificate that is signed by a system test root key or by another specified key. The certificate binds a certificate name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.
MakeCert supports a large number of switches but this section only describes the basic switches that are relevant to creating a test certificate that can be used to test-sign a driver package or embed a signature in a driver file.
MakeCert [/b DateStart] [/e DateEnd] [/len KeyLength] [/m nMonths] [/n "Name"] [/pe] [/r] [/sc SubjectCertFile] [/sk SubjectKey] [/sr SubjectCertStoreLocation] [/ss SubjectCertStoreName] [/sv SubjectKeyFile]OutputFile
Partial list of switches and arguments
/b DateStart
Specifies the start date when the certificate first becomes valid. The format of DateStart is mm/dd/yyyy.
If the /b switch is not specified, the default start date is the date when the certificate is created.
/e DateEnd
Specifies the end date when the certificate's validity period ends. The format of DateEnd is mm/dd/yyyy.
If the /e switch is not specified, the default end date is 12/31/2039.
/len KeyLength
Specifies the length, in units of bits, of the subject's private and public keys.
If the /len switch is not specified, the default key length is 1024 bits.
/m nMonths
Specifies the number of months starting from the start date during which the certificate will remain valid.
/n "Name"
Specifies a name for the certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format.
If the /n switch is not specified, the default name of the certificate is "Joe's Software Emporium".
/pe
Configures MakeCert to make the private key that is associated with the certificate exportable.
/r
Configures MakeCert to create a self-signed root certificate.
/sc SubjectCertFile
Specifies the subject's certificate file name along with the existing subject public key that is used.
/sk SubjectKey
Specifies the name of the subject's key container that holds the private key. If a key container does not exist, a new key container is created. If neither /sk nor /sv switch is entered, a default key container is created and used by default.
/sr SubjectCertStoreLocation
Specifies the registry location of the certificate store. The SubjectCertStoreLocation argument must be either of the following:
currentUser
Specifies the registry location HKEY_CURRENT_USER.
localMachine
Specifies the registry location HKEY_LOCAL_MACHINE.
If the /r switch is not specified along with the /s switch, currentUser is the default.
/ss SubjectCertStoreName
Specifies the name of the certificate store where the generated certificate is saved.
/sv SubjectKeyFile
Specifies the name of the subject's .pvk file that holds the private key. If neither /sk nor /sv switch is entered, a default key container is created and used by default.
OutputFile
The name of the file in which the generated certificate is saved.
Comments
MakeCert supports a large number of switches. The switches described in this topic are limited to the ones that you can use to create a test certificate.
For a complete list of MakeCert parameters, see the MakeCert website and the Using MakeCert website.
A 32-bit version of the MakeCert tool is located in the bin\i386 folder of the WDK. A 64-bit version of the tool is located in the bin\amd64 and bin\ia64 folders of the WDK.
Examples
In the following example, the MakeCert command generates a self-signed test certificate named "Contoso.com(Test)," installs the test certificate in the PrivateCertStore certificate store, and creates the Testcert.cer file, which contains a copy of the test certificate.
MakeCert -r -pe -ss PrivateCertStore -n "CN=Contoso.com(Test)" testcert.cer
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for