1Mono(MakeCert) Mono(MakeCert)
2
6 MakeCert - Create X.509 certificates for test purposes
7
9 makecert [options] certificate
10
12 Create an X.509 certificate using the provided informations. This is
13 useful for testing Authenticode signatures, SSL and S/MIME technolo‐
14 gies.
15
17 -# num Specify the certificate serial number.
18 -n dn Specify the subject Distinguished Name (DN).
20 -in dn Specify the issuer Distinguished Name (DN).
22 -r Create a self-signed, also called root, certificate.
24 -iv pvkfile
26 Specify the private key file (.PVK) for the issuer. The private
27 key in the specified file will be used to sign the new certifi‐
28 cate.
29 -ic certfile
31 Extract the issuer's name from the specified certificate file -
32 i.e. the subject name of the specified certificate becomes the
33 issuer name of the new certificate.
34 -in name
36 Use the issuer's name from the specified parameter.
37 -ik container
39 Specify the key container name to be used for the issuer.
40 -iky [signature | exchange | #]
42 Specify the key number to be used in the provider (when used
43 with -ik).
44 -ip provider
46 Specify the cryptographic provider to be used for the issuer.
47 -ir [localmachine | currentuser]
49 Specify the provider will search the user or the machine keys
50 containers for the issuer.
51 -iy number
53 Specify the provider type to be used for the issuer.
54 -sv pkvfile
56 Specify the private key file (.PVK) for the subject. The public
57 part of the key will be inserted into the created certificate.
58 If non-existant the specified file will be created with a new
59 key pair (default to 1024 bits RSA key pair).
60 -sk container
62 Specify the key container name to be used for the subject.
63 -sky [signature | exchange | #]
65 Specify the key number to be used in the provider (when used
66 with -sk).
67 -sp provider
69 Specify the cryptographic provider to be used for the subject.
70 -sr [localmachine | currentuser]
72 Specify the provider will search the user or the machine keys
73 containers for the subject.
74 -sy number
76 Specify the provider type to be used for the issuer.
77 -a hash
79 Select hash algorithm. Only MD5 and SHA1 algorithms are sup‐
80 ported.
81 -b date
83 The date since when the certificate is valid (notBefore).
84 -e date
86 The date until when the certificate is valid (notAfter).
87 -m number
89 Specify the certificate validity period in months. This is added
90 to the notBefore validity date which can be set with -b or will
91 default to the current date/time.
92 -cy [authority|end]
94 Basic constraints. Select Authority or End-Entity certificate.
95 Only Authority certificates can be used to sign other certifi‐
96 cates (-ic). End-Entity can be used by clients (e.g. Authenti‐
97 code, S/MIME) or servers (e.g. SSL).
98 -h number
100 Add a path length restriction to the certificate chain. This is
101 only applicable for certificates that have BasicConstraint set
102 to Authority (-cy authority). This is used to limit the chain of
103 certificates than can be issued under this authority.
104 -alt filename
106 Add a subjectAltName extension to the certificate. Each line
107 from 'filename' will be added as a DNS entry of the extension.
108 This option is useful if you want to create a single SSL cer‐
109 tificate to work on several hosts that do not share a common
110 domain name (i.e. CN=*.domain.com would not work).
111 -eku oid[,oid]
113 Add some extended key usage OID to the certificate.
114 -p12 pkcs12file password
116 Create a new PKCS#12 file containing both the certificates (the
117 subject and possibly the issuer's) and the private key. The
118 PKCS#12 file is protected with the specified password. This
119 option is mono exclusive.
120 -? Help (display this help message)
122 -! Extended help (for advanced options)
124
126 To create a SSL test (i.e. non trusted) certificate is easy once your
127 know your host's name. The following command will create a test cer‐
128 tificate for an SSL server:
129 $ hostname
130 pollux
131 $ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
133 Success
134 In particular in the above example, the parameters used to build this
136 test certificate were:
137 -r Create a self-signed certificate (i.e. without an hierarchy).
139 -eku 1.3.6.1.5.5.7.3.1
141 Optional (as sadly most client don't require it). This indicates
142 that your certificate is intended for server-side authentica‐
143 tion.
144 -n Common Name (CN) = Host name. This is verified the SSL client
146 and must match the connected host (or else you'll get a warning
147 or error or *gasp* nothing).
148 -sv private.key
150 The private key file. The key (1024 bits RSA key pair) will be
151 automatically generated if the specified file isn't present.
152 pollux.cer
154 The SSL certificate to be created for your host.
155
157 Compared to the Windows version some options aren't supported (-$, -d,
158 -l, -nscp, -is, -sc, -ss). Also PVK files with passwords aren't sup‐
159 ported.
160
162 Written by Sebastien Pouliot
163
165 Copyright (C) 2003 Motus Technologies. Copyright (C) 2004-2005 Novell.
166 Released under BSD license.
167
169 Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for
170 details.
171
173 Visit http://www.mono-project.com for details
174
176 signcode(1)
177 Mono(MakeCert)