NAME
MakeCert - Create X.509 certificates for test purposes
SYNOPSIS
makecert [options] certificate
DESCRIPTION
Create an X.509 certificate using the provided informations. This is
useful for testing Authenticode signatures, SSL and S/MIME
technologies.
PARAMETERS
-# num Specify the certificate serial number.
-n dn Specify the subject Distinguished Name (DN).
-in dn Specify the issuer Distinguished Name (DN).
-r Create a self-signed, also called root, certificate.
-iv pvkfile
Specify the private key file (.PVK) for the issuer. The private
key in the specified file will be used to sign the new
certificate.
-ic certfile
Extract the issuer's name from the specified certificate file -
i.e. the subject name of the specified certificate becomes the
issuer name of the new certificate.
-in name
Use the issuer's name from the specified parameter.
-ik container
Specify the key container name to be used for the issuer.
-iky [signature | exchange | #]
Specify the key number to be used in the provider (when used
with -ik).
-ip provider
Specify the cryptographic provider to be used for the issuer.
-ir [localmachine | currentuser]
Specify the provider will search the user or the machine keys
containers for the issuer.
-iy number
Specify the provider type to be used for the issuer.
-sv pkvfile
Specify the private key file (.PVK) for the subject. The public
part of the key will be inserted into the created certificate.
If non-existant the specified file will be created with a new
key pair (default to 1024 bits RSA key pair).
-sk container
Specify the key container name to be used for the subject.
-sky [signature | exchange | #]
Specify the key number to be used in the provider (when used
with -sk).
-sp provider
Specify the cryptographic provider to be used for the subject.
-sr [localmachine | currentuser]
Specify the provider will search the user or the machine keys
containers for the subject.
-sy number
Specify the provider type to be used for the issuer.
-a hash
Select hash algorithm. Only MD5 and SHA1 algorithms are
supported.
-b date
The date since when the certificate is valid (notBefore).
-e date
The date until when the certificate is valid (notAfter).
-m number
Specify the certificate validity period in months. This is added
to the notBefore validity date which can be set with -b or will
default to the current date/time.
-cy [authority|end]
Basic constraints. Select Authority or End-Entity certificate.
Only Authority certificates can be used to sign other
certificates (-ic). End-Entity can be used by clients (e.g.
Authenticode, S/MIME) or servers (e.g. SSL).
-h number
Add a path length restriction to the certificate chain. This is
only applicable for certificates that have BasicConstraint set
to Authority (-cy authority). This is used to limit the chain of
certificates than can be issued under this authority.
-eku oid[,oid]
Add some extended key usage OID to the certificate.
-p12 pkcs12file password
Create a new PKCS#12 file containing both the certificates (the
subject and possibly the issuer's) and the private key. The
PKCS#12 file is protected with the specified password. This
option is mono exclusive.
-? Help (display this help message)
-! Extended help (for advanced options)
EXAMPLES
To create a SSL test (i.e. non trusted) certificate is easy once your
know your host's name. The following command will create a test
certificate for an SSL server:
$ hostname
pollux
$ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
Success
In particular in the above example, the parameters used to build this
test certificate were:
-r Create a self-signed certificate (i.e. without an hierarchy).
-eku 1.3.6.1.5.5.7.3.1
Optional (as sadly most client don't require it). This indicates
that your certificate is intended for server-side
authentication.
-n Common Name (CN) = Host name. This is verified the SSL client
and must match the connected host (or else you'll get a warning
or error or *gasp* nothing).
-sv private.key
The private key file. The key (1024 bits RSA key pair) will be
automatically generated if the specified file isn't present.
pollux.cer
The SSL certificate to be created for your host.
KNOWN RESTRICTIONS
Compared to the Windows version some options aren't supported (-$, -d,
-l, -nscp, -is, -sc, -ss). Also PVK files with passwords aren't
supported.
AUTHOR
Written by Sebastien Pouliot
COPYRIGHT
Copyright (C) 2003 Motus Technologies. Copyright (C) 2004-2005 Novell.
Released under BSD license.
MAILING LISTS
Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for
details.
WEB SITE
Visit http://www.mono-project.com for details
SEE ALSO
signcode(1)
Mono(MakeCert)