Skip to content

makecert and creating ssl or signing certificates

June 1, 2015

I’ve been asked to post my makecert scripts for creating self-signed certificates (one for SSL and the other for signing). I use both of these scripts as .bat files. These scripts accept one parameter — the CN (common name) you want the certificate to match. For the SSL cert this must match the host name. For signing it’s just a unique name. Both of these need to be run from an administrative command prompt because the scripts install the certificate into the local machine’s personal certificate store. If you need the public key portion (.cer) then you’d have to open mmc and export it. Also, notice the expiration in the scripts — this is something you might want to change based upon your situation.

The first script is for creating SSL certificates. This is good for setting up SSL on your local IIS for a new web site (you’d need to ensure the host is indicated and SNI is configured). Although the SSL certificate won’t be trusted until you configure the cert as trusted on the client machine. Here are the .bat file contents:

makecert -r -pe -n "CN=%1" -b 01/01/2015 -e 01/01/2020 -sky exchange -a sha256 -len 2048 -ss my -sr localMachine

The second script is for creating signing certificates (for things like token signing within a token service such as IdentityServer). Here are the .bat file contents:

makecert -r -pe -n "CN=%1" -b 01/01/2015 -e 01/01/2020 -sky signature -a sha256 -len 2048 -ss my -sr LocalMachine

Or if you simply want these to save the certificate files to the filesystem:

makecert -r -pe -n "CN=%1" -b 01/01/2017 -e 01/01/2025 -sky signature -a sha256 -len 2048 -sv %1.pfx %1.cer



8 Comments leave one →
  1. June 2, 2015 11:21 pm

    HI Brock

    This link might be interesting as well, shows how to make a cert using makecert or openssl and setup your windows system.

    greetings Damien

  2. June 20, 2016 3:54 pm

    Any guides you might be aware of that show how to install on IIS 8?

    • June 24, 2016 2:10 pm

      no sorry — i’d check/ask microsoft for into on this.

    • September 3, 2016 3:36 am

      I compiled letsencrypt-win-simple, and then ran it on my server and it installed automatically a valid IIS 8.5 X509 cert and updated IIS to use it. A full video demo is on this page.
      Seems only to work with, I have to figure out how to use it with my NON-MS NON-Web based email server.

      The github link is here:

      And a video explaining how/why you are getting free X509 certs that can auto renew is here:

      However, I still don’t know much about certs, and am trying to get (automate) a cert with openssl for IdenityServer3, hopefully by tonight.

  3. Michael Kugler permalink
    February 27, 2017 6:40 am

    Hey Brok,
    i ‘ve created a little powershell script


    $RootCACert=New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -FriendlyName “Local Certification Authority” -TextExtension @(“{text}”) -KeyUsage CertSign -KeyAlgorithm RSA -KeyLength 2048 -dnsname $HostNameForCertificate,$AddionalHostNames
    #export cert to import it on other machines in root CAs
    Export-Certificate -cert $RootCACert -FilePath c:\temp\root-authority.crt

    #add certificate to trusted root certificate authorities
    $TrustedRootCAStore= new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)

    #WebServer Cert
    New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -FriendlyName “Certificate for Web Server” -TextExtension @(“{text}”) -dnsname $HostNameForCertificate,$AddionalHostNames -Signer $RootCACert
    #IdentityServer token signing certificate
    New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -FriendlyName “Certificate for IdentityServer Token Signing” -TextExtension @(“{text}”) -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -dnsname $HostNameForCertificate,$AddionalHostNames -Signer $RootCACert




  1. Certificates | Vincent

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: