1Mono(MakeCert) Mono(MakeCert)
2
6 MakeCert - Create X.509 certificates for test purposes
7
9 makecert [options] certificate
10
12 Create an X.509 certificate using the provided informations. This is
13 useful for testing Authenticode signatures, SSL and S/MIME technolo‐
14 gies.
15
17 -# num Specify the certificate serial number.
18 -n dn Specify the subject Distinguished Name (DN).
20 -in dn Specify the issuer Distinguished Name (DN).
22 -r Create a self-signed, also called root, certificate.
24 -iv pvkfile
26 Specify the private key file (.PVK) for the issuer. The private
27 key in the specified file will be used to sign the new certifi‐
28 cate.
29 -ic certfile
31 Extract the issuer's name from the specified certificate file -
32 i.e. the subject name of the specified certificate becomes the
33 issuer name of the new certificate.
34 -in name
36 Use the issuer's name from the specified parameter.
37 -ik container
39 Specify the key container name to be used for the issuer.
40 -iky [signature | exchange | #]
42 Specify the key number to be used in the provider (when used
43 with -ik).
44 -ip provider
46 Specify the cryptographic provider to be used for the issuer.
47 -ir [localmachine | currentuser]
49 Specify the provider will search the user or the machine keys
50 containers for the issuer.
51 -iy number
53 Specify the provider type to be used for the issuer.
54 -sv pkvfile
56 Specify the private key file (.PVK) for the subject. The public
57 part of the key will be inserted into the created certificate.
58 If non-existant the specified file will be created with a new
59 key pair (default to 1024 bits RSA key pair).
60 -sk container
62 Specify the key container name to be used for the subject.
63 -sky [signature | exchange | #]
65 Specify the key number to be used in the provider (when used
66 with -sk).
67 -sp provider
69 Specify the cryptographic provider to be used for the subject.
70 -sr [localmachine | currentuser]
72 Specify the provider will search the user or the machine keys
73 containers for the subject.
74 -sy number
76 Specify the provider type to be used for the issuer.
77 -a hash
79 Select hash algorithm. Only MD5 and SHA1 algorithms are sup‐
80 ported.
81 -b date
83 The date since when the certificate is valid (notBefore).
84 -e date
86 The date until when the certificate is valid (notAfter).
87 -m number
89 Specify the certificate validity period in months. This is added
90 to the notBefore validity date which can be set with -b or will
91 default to the current date/time.
92 -cy [authority|end]
94 Basic constraints. Select Authority or End-Entity certificate.
95 Only Authority certificates can be used to sign other certifi‐
96 cates (-ic). End-Entity can be used by clients (e.g. Authenti‐
97 code, S/MIME) or servers (e.g. SSL).
98 -h number
100 Add a path length restriction to the certificate chain. This is
101 only applicable for certificates that have BasicConstraint set
102 to Authority (-cy authority). This is used to limit the chain of
103 certificates than can be issued under this authority.
104 -eku oid[,oid]
106 Add some extended key usage OID to the certificate.
107 -p12 pkcs12file password
109 Create a new PKCS#12 file containing both the certificates (the
110 subject and possibly the issuer's) and the private key. The
111 PKCS#12 file is protected with the specified password. This
112 option is mono exclusive.
113 -? Help (display this help message)
115 -! Extended help (for advanced options)
117
119 To create a SSL test (i.e. non trusted) certificate is easy once your
120 know your host's name. The following command will create a test cer‐
121 tificate for an SSL server:
122 $ hostname
123 pollux
124 $ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
126 Success
127 In particular in the above example, the parameters used to build this
129 test certificate were:
130 -r Create a self-signed certificate (i.e. without an hierarchy).
132 -eku 1.3.6.1.5.5.7.3.1
134 Optional (as sadly most client don't require it). This indicates
135 that your certificate is intended for server-side authentica‐
136 tion.
137 -n Common Name (CN) = Host name. This is verified the SSL client
139 and must match the connected host (or else you'll get a warning
140 or error or *gasp* nothing).
141 -sv private.key
143 The private key file. The key (1024 bits RSA key pair) will be
144 automatically generated if the specified file isn't present.
145 pollux.cer
147 The SSL certificate to be created for your host.
148
150 Compared to the Windows version some options aren't supported (-$, -d,
151 -l, -nscp, -is, -sc, -ss). Also PVK files with passwords aren't sup‐
152 ported.
153
155 Written by Sebastien Pouliot
156
158 Copyright (C) 2003 Motus Technologies. Copyright (C) 2004-2005 Novell.
159 Released under BSD license.
160
162 Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for
163 details.
164
166 Visit http://www.mono-project.com for details
167
169 signcode(1)
170 Mono(MakeCert)