How to create certificate authority certificate with makecert?

StackOverflow https://stackoverflow.com/questions/13332569

Question

I'm trying to create a website which uses SSL with a self-signed certificate.

Here's what I do:

Create authority certificate:

makecert -n "CN=root signing authority" -r -sv root.pvk root.cer

Create target certificate

makecert -r -pe -n "CN=localhost" -b 01/01/2012 -e 01/01/2020 -sky exchange localhost.cer -sv localhost.pvk

Sign the created certificate

makecert -ic root.cer -iv root.pvk -n "CN=localhost" -sv localhost.pvk -pe -sky exchange localhost.cer

Create a certificate with private key inside 

pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx

Now, I want to use firefox for debugging website. To do that, I need to import the authority root certificate (root.cer) into the trusted certificate list.

However, when I'm trying to do this, I'm getting following error message:

This is not a certificate authority certificate, so it can't be imported into the certificate authority list.

I've done something similar with fiddler's authority certificate, and it went fine, which means that there's a problem with my process of creating authority certificate.

How do I properly create certificate authority certificates?

Was it helpful?

Solution

Maybe you could try adding the -cy authority parameter on the root certificate creation, like that:

makecert -n "CN=root signing authority" -cy authority -r -sv root.pvk root.cer

Thus you declare you are creating an authority certificate and that should do the job.. or at least take you on track =)

I tried myself to create a root certificate using this commandline and to import it into Firefox: I can confirm that if you don't add the "-cy" parameter, Firefox will not consider that a valid root certificate.

Hope that helps!

OTHER TIPS

Two of the best and simple help pages:

https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/

https://blog.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/

Some examples:

certmgr.exe -add -all -c "benperkmeCA.cer" -s -r localMachine Root

makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer


makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer

makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer

makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top