Friday 14 January 2011

Generating temp SSL certificates for development

Update 01/03/2014

If you’re using IIS 7 there is a quick way to create self-signed certificates. Details can be found in this post: Create a self-signed certificate for development in IIS 7.

If you still want to know about the manual method read on.

Original post

I needed to generate an SSL certificate for testing a WCF service which needed to be secure. Not wanting (or having the budget for) a real SSL certificate I elected to generate my own. The following batch file contains the main ingredients:

@echo off

echo Step 1 - Creating a self-signed root authority certificate and export the private key.
echo You will be prompted to provide a password to protect the private key.
echo The password is required when creating a certificate signed by the root certificate.
echo ===================================================================================
makecert -n "CN=RootTempCA" -r -sv RootTempCA.pvk RootTempCA.cer

echo Step 2 - Create a new certificate signed by a root authority certificate
echo ========================================================================
makecert -sk -iv RootTempCA.pvk -n "" -ic RootTempCA.cer -sr localmachine -ss my -sky exchange -pe

The should be replaced to match the environment (this could be localhost, the machine name, whatever you need). Step 2 should install the certificate into the certificate store – no need to do it manually.

The makecert flags used above breakdown as follows:

Flag Step Description
-n subjectname 1, 2

Specifies the subject name. The convention is to prefix the subject name with "CN = " for "Common Name".

-r 1

Specifies that the certificate will be self-signed.

-sv privateKeyFile 1

Specifies the file that contains the private key container.

-sk subjectKey 2

The location of the subject's key container that holds the private key. If a key container does not exist, one is created. If neither of the -sk or -sv options is used, a key container called JoeSoft is created by default.

-iv issuerKeyFile 2

Specifies the issuer's private key file.

-ic issuerCertFile 2 Specifies the location of the issuer's certificate.
-sr location 2

Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine.

-ss store 2

Specifies the subject's certificate store name that stores the output certificate.

-sky keytype 2

Specifies the subject's key type, which must be one of the following: signature (which indicates that the key is used for a digital signature), exchange (which indicates that the key is used for key encryption and key exchange), or an integer that represents a provider type. By default, you can pass 1 for an exchange key or 2 for a signature key.

-pe 2

Marks the generated private key as exportable. This allows the private key to be included in the certificate.

Because this process creates a self-signed certificate if you access the service from a remote machine you will likely run in to problems because the certificate was issued by an unknown Certification Authority. To get around this you need to import the root certificate into the trusted root certificate store on the client machine. I find it best to import the certificate using a Personal Information Exchange (pfx) file. To create the .pfx run the following:

pvk2pfx.exe -pvk RootTempCA.pvk -spc RootTempCA.cer -pfx RootTempCA.pfx -po password_here



See also