Why does makecert not make a *valid* certificate?

StackOverflow https://stackoverflow.com/questions/14437237

Question

I want to create an X509 certificate for testing purposes. This certificate has to be shared by 3 developers on their local machines (i.e. all share the same certificate so we can use the same thumbprint).

So the private key in this certificate has to be exportable.

I create a certificate with the following command:

makecert -r -pe -n "CN=mytestsite.local" -b 01/01/2000 -e 01/01/2036 -ss my -sr localMachine -sky exchange localhost.cer

This certificate works fine, but the trouble is that the isValid argument has to be false when calling Certificates.Find...

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var cert = store.Certificates.Find(
                                X509FindType.FindByThumbprint,
                                Config.PdfCertificateThumbprint, 
                                false  //********************* This has to be false.
                              ).OfType<X509Certificate>().FirstOrDefault();

As soon as I set that IsValid property to True, my certificate is no longer returned by the Find method. Why would makecert generate an "invalid" certificate? Or how do I figure out why the certificate is deemed invalid?

Was it helpful?

Solution

Well, it's because it's not issued by a "Trusted Certificate Authority" like the "real" ssl certificates used on the internet. (for example issued by VeriSign)

What you can do locally to work is to add the certificate manually in the Trusted Certificates for your user and/or local machine. But this procedure must be done for everyone using it until you will obtain a valid SSL certificate issued by a CA (certificate authority).

But your question points to the scenario where it's for dev purposes only so what you can do is either manually add the certificate to Trusted or you can override the certificate validation mechanism in .Net and write code that will consider your certificate valid.

OTHER TIPS

You might want to experiment with the following setting that can be used in client config to bypass the certificate validation process:

    <serviceCertificate>
      <authentication certificateValidationMode="None"
                      revocationMode="NoCheck" />
    </serviceCertificate>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top