KB: How to create a web server SSL certificate with makecert.exe

Assuming you have the signing certificate and private key in the “Personal” cert store of the current user.

makecert.exe -is my -ir CurrentUser -in “signing_cert_name” -pe -n CN=”host.jeffchiu.com” -eku -ss my -sr CurrentUser -sky exchange -m 12

  • -is:    Issuer’s certificate store name.
  • -ir:    Issuer’s certificate store location.
  • -in:    Issuer’s certificate common name.
  • -pe:    Mark generated private key as exportable.
  • -n:    Certificate subject X500 name.
  • -eku:    Comma separated enhanced key usage OIDs.
    •    :    Server Authentication
    • :    Client Authentication
  • -sky:    Subject key type.
  • -ss:    Subject’s certificate store name that stores the output certificate.
  • -sr:    Subject’s certificate store location.
  • -m:    The number of months for the cert validity period

My Certificate Authority Lab Setup (Part 1) – Offline Root CA

To start with something simple I’m building up a 2-tier CA hierarchy incorporating an offline root CA and and issuing Windows Server 2003 Enterprise CA.


Some notes on my Root CA setup:

  1. Install Windows Server 2003, Standard Edition is good enough for an offline CA.
  2. Workgroup only, DO NOT join Domain.
  3. Think twice on the Computer Name before starting CA installation, computer cannot be renamed afterwards.
  4. IMPORTANT! Create CAPolicy.inf in C:\WINDOWS (or %SYSTEMROOT%) to specify empty CRL distribution point and AIA.
    Signature= “$Windows NT$”






  5. Install Certificate Services only and do not install IIS and other services to minimize attack surface. You don’t need web enrollment for this offline CA.
  6. Use custom settings to specify key length as 4096 bits and 5 years validity. (Watch out for Domino root certificate key length support, use 2048-bit if any SubCA is going to issue certificate for S/MIME for Domino 6 & 7. More on MyKB)
  7. After installation, use “certutil –setreg ca\[name]” to set issuing validity timespan and default container distinguished name referenced by CDP and AIA LDAP URL.
    Registry Value
    ValidityPeriod Years
    ValidityPeriodUnits 2
    DSConfigDN CN=Configuration,DC=contoso,DC=com
  8. Config CA’s CDP and AIA locations. The objective is to use external FQDN instead of computer name for the HTTP URL and to make it comes before LDAP URL.
  9. Remove the default URLs except the local disk location and add back the followings URLs
    CDP URL Options
    http://www.contoso.com/cert/%3%8%9.crl CSURL_ADDTOCERTCDP — 2
    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_ADDTOCERTCDP — 2
    http://www.contoso.com/cert/%1_%3%4.crt CSURL_ADDTOCERTCDP – 2
    ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_ADDTOCERTCDP – 2
  10. Config CRL publication interval and make sure Delta CRL is disabled. (Which an interval of 180 days is already specified in the CAPolicy.inf file).
  11. Publish the CRL and examine the CDP location. Make sure the DSConfigDN registry is correctly setup and you are not seeing “DC=UnavailableConfigDN namespace”in the LDAP URL.

OK, the root CA is now ready. The next would be the issuing enterprise CA.