Is it possible to generate a certificate with custom key usage with makecert?

Question

Is it possible to use makecert to create self-signed certificates with a specific key usage property?

I need to generate a self-signed certificate for testing. It must have the "Digital Signature" and "Non-repudiation" values on the "Key Usage" property such as described in RFC 3280 section 4.2.1.3.

I have tried some variations with the "-sky" option, such as "3" (bit 0 and bit 1 set) and "1,2". The first is not accepted and the second creates a certificate but it doesn't seem to have the "KeyUsage" property set.

Please notice that this doesn't refer to "-eku" (extended key usage).

This is the script I'm using:

makecert -r -pe -n "CN=cte-dev-CA" -ss CA -sr CurrentUser -a sha1 -sky signature -sv cte-dev-CA.pvk cte-dev-CA.cer

certutil -user -addstore Root cte-dev-CA.cer

makecert -pe -n "CN=cte-dev-SPC" -eku 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -a sha1 -sky signature -ic cte-dev-CA.cer -iv cte-dev-CA.pvk -sv cte-dev-SPC.pvk cte-dev-SPC.cer

pvk2pfx -pvk cte-dev-SPC.pvk -spc cte-dev-SPC.cer -pfx cte-dev-SPC.pfx -po my-password

Answer 1

There is no argument for makecert that affects the "Key Usage" field of the created certificate. At least, I have also been unable to find one.