Why does creating my self signing certificate fail?
-
20-12-2019 - |
Question
I am trying to generate a self signing certificate but am unable to accomplish it. I am using this command to create a self signing certificate authority:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Which by all accounts works, and I can view the new entry under the Trusted Root Certification Authorities.
Next I use the following command to create a signing certificate:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root1.cer
But the command fails with:
Error: Can't load the issuer certificate ('root1.cer')
Failed
I was of the impression that the -ic
switch would create the root1.cer file, but the error seems to indicate that it can't load it? Where am I going wrong with this?
Solution
When attempting to creating a Self Signed Certificate it does not require another certificate to generate it. Because as the name states, it is Self Signed (it holds the private key with which it was created).
When creating a common certificate you should provide a parent to make use of it. When verifying authenticity of this child certificate you should also have the parent certificate installed on your machine. This is the concept of Chain Trust.
See in your 'Local Machine' store, under trusted root certificates, you should have .cer from many Authority Agencies, such as Verisign for instance.
-iv
Stands for Issuer's Private Key. (Parent .pvk)
-ic
Stands for Issuer's Certificate. (Parent .cer)
OTHER TIPS
In your first command, you created root.cer.
makecert [...] -r -sv root.pvk root.cer -ss Root -sr localMachine
In your second command, you told it that the issuer certificate was in root1.cer (with the parameter "-ic root1.cer"). That is what led to the error message that it could not find root1.cer.
So, change the 'root1.cer' in the second command to 'root.cer'. It should look like this:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv powershelluser.pvk powershelluser.cer
This does the following:
- Generates a new key, placing it in powershelluser.pvk.
- Uses the key in root.pvk to sign the new certificate, and uses the information in root.cer to set the Issuer of that new certificate.
- Writes the new certificate to powershelluser.cer, and also writes it to the "Personal" certificates store in CurrentUser.