Why does creating my self signing certificate fail?

StackOverflow https://stackoverflow.com//questions/22001731

Question

I am trying to generate a self signing certificate but am unable to accomplish it. I am using this command to create a self signing certificate authority:

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

Which by all accounts works, and I can view the new entry under the Trusted Root Certification Authorities.

Next I use the following command to create a signing certificate:

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root1.cer

But the command fails with:

Error: Can't load the issuer certificate ('root1.cer')
Failed

I was of the impression that the -ic switch would create the root1.cer file, but the error seems to indicate that it can't load it? Where am I going wrong with this?

Was it helpful?

Solution

When attempting to creating a Self Signed Certificate it does not require another certificate to generate it. Because as the name states, it is Self Signed (it holds the private key with which it was created).

When creating a common certificate you should provide a parent to make use of it. When verifying authenticity of this child certificate you should also have the parent certificate installed on your machine. This is the concept of Chain Trust.

See in your 'Local Machine' store, under trusted root certificates, you should have .cer from many Authority Agencies, such as Verisign for instance.

-iv Stands for Issuer's Private Key. (Parent .pvk)

-ic Stands for Issuer's Certificate. (Parent .cer)

OTHER TIPS

In your first command, you created root.cer.

makecert [...] -r -sv root.pvk root.cer -ss Root -sr localMachine

In your second command, you told it that the issuer certificate was in root1.cer (with the parameter "-ic root1.cer"). That is what led to the error message that it could not find root1.cer.

So, change the 'root1.cer' in the second command to 'root.cer'. It should look like this:

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv powershelluser.pvk powershelluser.cer

This does the following:

  1. Generates a new key, placing it in powershelluser.pvk.
  2. Uses the key in root.pvk to sign the new certificate, and uses the information in root.cer to set the Issuer of that new certificate.
  3. Writes the new certificate to powershelluser.cer, and also writes it to the "Personal" certificates store in CurrentUser.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top