Create a Self-Signed, Token-Signing Certificate

Applies To: Windows Server 2008

You can use the following procedure to create a self-signed, code-signing certificate that also creates and installs a private key. To perform this procedure, use the Makecert.exe utility. Makecert.exe is available in the Microsoft® Windows® Software Development Kit for Windows Server 2008 and .NET Framework 3.5 (

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To create a self-signed, token-signing certificate

  1. Open a command prompt.

  2. Type the appropriate makecert syntax.

    Example command:

    makecert -r -pe -n "CN=CertForADFS" -b 01/01/2006 -e 01/01/2007 -eku -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "CertForADFS.cer"


Track certificate expiration dates to make sure that certificates are replaced before they expire. You can do this using the Active Directory Federation Services snap-in for certificates of the current organization and also for partners that you configure in the trust policy.

Additional references

MakeCert (