I am using makecert.exe to create an RSA certificate and I am wondering what the significance is of this option? -sk KeyName
The documentation says "Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created"
But I don't know what that means. Is it used as some kind of seed for creating the certificate? This is my current command line:
makecert.exe -r -sr LocalMachine -ss my -a sha256 -pe -sky exchange -n "CN=Mycert"
Under what circumstances might I want to specify a KeyName?
Related
I am following step 2 in this tutorial.
After entering this command,
makecert -r -pe -n "CN=PC-Name" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
I a getting ERROR: Too many parameters
How to solve this issue? Help please
The command looks like the following:
Makecert -r -pe -n CN="www.example.com" -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
If you copy the sample command from the MSDN page above and run it via the command-line, you'll get error "Too many parameters". It turns out the dash used in the MSDN post above is actually character: \u2013 (DASH-EN) and not minus \u002D and it's the minus character that the tool is expecting.
So to make this work, simply replace the hyphen with the minus sign when keying in the command as defined above. In the above sample, I have replaced the incorrect character with the correct one so feel free to just copy and paste it.
How does one generate the original public/private keys used for Authenticode signing? I see commans like this in the tutorials:
pvk2pfx.exe -pvk mykey.pvk -pi <password> -spc mycert.spc -pfx mycert.pfx -po <password>
but they don't say how to get the private key in the first place.
For testing you can generate a self sign certificate:
REM May change depending of your installed Windows SDK
cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin"
REM Generate the root certificate
.\makecert.exe -r -pe -n "CN=Sample.CA" -ss CA -sr CurrentUser -a sha1 -cy authority -sky signature -sv d:\Sample.CA.pvk d:\Sample.CA.cer
REM Add the Root certificate to the user store
certutil.exe -user -addstore Root d:\Sample.CA.cer
REM Create the certificate for code signing
.\makecert.exe -pe -n "CN=Sample.CodeSigning" -eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" -a sha1 -cy end -sky signature -ic d:\Sample.CA.cer -iv d:\Sample.CA.pvk -sv d:\Sample.CodeSigning.pvk d:\Sample.CodeSigning.cer
REM Convert to certificate to pfx file format
.\pvk2pfx.exe -pvk d:\Sample.CodeSigning.pvk -spc d:\Sample.CodeSigning.cer -pfx d:\Sample.CodeSigning.pfx
According to a Twitter answer, "You need to get a Class 3 Code Signing cert from a CA."
I'm trying to import a certificate via cmd with certutil.exe
After I tried this command:
certutil.exe -A -n C:\Documents and Settings\xxxxx\Desktop\RootCert-somecert.cer -t c
It returns me
certutil.exe: function failed: The certificate/key database is in an old, unsupported format
Can you help me?
make sure that the key3.db, cert8.db and secmod.db is in the same directory and in the current directory where you run the certutil. If you want to point another directory for the db, use -d argument.
-n argument is used to give alias to the certificate. To point the certificate to add, use the -i argument.
example:
certutil.ex -A -n "mycert" -i "C:\Documents and Settings\xxxxx\Desktop\RootCert-somecert.cer" -t c -d "C:\certdb"
hope it helps
Is it possible to use makecert to create self-signed certificates with a specific key usage property?
I need to generate a self-signed certificate for testing. It must have the "Digital Signature" and "Non-repudiation" values on the "Key Usage" property such as described in RFC 3280 section 4.2.1.3.
I have tried some variations with the "-sky" option, such as "3" (bit 0 and bit 1 set) and "1,2". The first is not accepted and the second creates a certificate but it doesn't seem to have the "KeyUsage" property set.
Please notice that this doesn't refer to "-eku" (extended key usage).
This is the script I'm using:
makecert -r -pe -n "CN=cte-dev-CA" -ss CA -sr CurrentUser -a sha1 -sky signature -sv cte-dev-CA.pvk cte-dev-CA.cer
certutil -user -addstore Root cte-dev-CA.cer
makecert -pe -n "CN=cte-dev-SPC" -eku 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -a sha1 -sky signature -ic cte-dev-CA.cer -iv cte-dev-CA.pvk -sv cte-dev-SPC.pvk cte-dev-SPC.cer
pvk2pfx -pvk cte-dev-SPC.pvk -spc cte-dev-SPC.cer -pfx cte-dev-SPC.pfx -po my-password
There is no argument for makecert that affects the "Key Usage" field of the created certificate. At least, I have also been unable to find one.
I have multiple secret keys in my GPG keyring.
I'd like to do a gpg -e -s -a to encrypt, sign, and ascii armor the output. However, I also need to specify which secret key to use for the signature, by key id.
I needed the --local-user option.
gpg -e -s -a --local-user 0xDEADBEEF -r 0x01234567