1Mono(MakeCert)                                                  Mono(MakeCert)
2
3
4

NAME

6       MakeCert - Create X.509 certificates for test purposes
7

SYNOPSIS

9       makecert [options] certificate
10

DESCRIPTION

12       Create  an  X.509  certificate using the provided informations. This is
13       useful for testing Authenticode signatures, SSL  and  S/MIME  technolo‐
14       gies.
15

PARAMETERS

17       -# num Specify the certificate serial number.
18
19       -n dn  Specify the subject Distinguished Name (DN).
20
21       -in dn Specify the issuer Distinguished Name (DN).
22
23       -r     Create a self-signed, also called root, certificate.
24
25       -iv pvkfile
26              Specify  the private key file (.PVK) for the issuer. The private
27              key in the specified file will be used to sign the new  certifi‐
28              cate.
29
30       -ic certfile
31              Extract  the issuer's name from the specified certificate file -
32              i.e. the subject name of the specified certificate  becomes  the
33              issuer name of the new certificate.
34
35       -in name
36              Use the issuer's name from the specified parameter.
37
38       -ik container
39              Specify the key container name to be used for the issuer.
40
41       -iky [signature | exchange | #]
42              Specify  the  key  number  to be used in the provider (when used
43              with -ik).
44
45       -ip provider
46              Specify the cryptographic provider to be used for the issuer.
47
48       -ir [localmachine | currentuser]
49              Specify the provider will search the user or  the  machine  keys
50              containers for the issuer.
51
52       -iy number
53              Specify the provider type to be used for the issuer.
54
55       -sv pkvfile
56              Specify  the private key file (.PVK) for the subject. The public
57              part of the key will be inserted into the  created  certificate.
58              If  non-existant  the  specified file will be created with a new
59              key pair (default to 1024 bits RSA key pair).
60
61       -sk container
62              Specify the key container name to be used for the subject.
63
64       -sky [signature | exchange | #]
65              Specify the key number to be used in  the  provider  (when  used
66              with -sk).
67
68       -sp provider
69              Specify the cryptographic provider to be used for the subject.
70
71       -sr [localmachine | currentuser]
72              Specify  the  provider  will search the user or the machine keys
73              containers for the subject.
74
75       -sy number
76              Specify the provider type to be used for the issuer.
77
78       -a hash
79              Select hash algorithm. Only MD5 and  SHA1  algorithms  are  sup‐
80              ported.
81
82       -b date
83              The date since when the certificate is valid (notBefore).
84
85       -e date
86              The date until when the certificate is valid (notAfter).
87
88       -m number
89              Specify the certificate validity period in months. This is added
90              to the notBefore validity date which can be set with -b or  will
91              default to the current date/time.
92
93       -cy [authority|end]
94              Basic  constraints.  Select Authority or End-Entity certificate.
95              Only Authority certificates can be used to sign  other  certifi‐
96              cates  (-ic).  End-Entity can be used by clients (e.g. Authenti‐
97              code, S/MIME) or servers (e.g. SSL).
98
99       -h number
100              Add a path length restriction to the certificate chain. This  is
101              only  applicable  for certificates that have BasicConstraint set
102              to Authority (-cy authority). This is used to limit the chain of
103              certificates than can be issued under this authority.
104
105       -alt filename
106              Add  a  subjectAltName  extension  to the certificate. Each line
107              from 'filename' will be added as a DNS entry of  the  extension.
108              This  option  is  useful if you want to create a single SSL cer‐
109              tificate to work on several hosts that do  not  share  a  common
110              domain name (i.e. CN=*.domain.com would not work).
111
112       -eku oid[,oid]
113              Add some extended key usage OID to the certificate.
114
115       -p12 pkcs12file password
116              Create  a new PKCS#12 file containing both the certificates (the
117              subject and possibly the issuer's)  and  the  private  key.  The
118              PKCS#12  file  is  protected  with  the specified password. This
119              option is mono exclusive.
120
121       -?     Help (display this help message)
122
123       -!     Extended help (for advanced options)
124

EXAMPLES

126       To create a SSL test (i.e. non trusted) certificate is easy  once  your
127       know  your  host's  name. The following command will create a test cer‐
128       tificate for an SSL server:
129            $ hostname
130            pollux
131
132            $ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
133            Success
134
135       In particular in the above example, the parameters used to  build  this
136       test certificate were:
137
138       -r     Create a self-signed certificate (i.e. without an hierarchy).
139
140       -eku 1.3.6.1.5.5.7.3.1
141              Optional (as sadly most client don't require it). This indicates
142              that your certificate is intended  for  server-side  authentica‐
143              tion.
144
145       -n     Common  Name  (CN)  = Host name. This is verified the SSL client
146              and must match the connected host (or else you'll get a  warning
147              or error or *gasp* nothing).
148
149       -sv private.key
150              The  private  key file. The key (1024 bits RSA key pair) will be
151              automatically generated if the specified file isn't present.
152
153       pollux.cer
154              The SSL certificate to be created for your host.
155

KNOWN RESTRICTIONS

157       Compared to the Windows version some options aren't supported (-$,  -d,
158       -l,  -nscp,  -is,  -sc, -ss). Also PVK files with passwords aren't sup‐
159       ported.
160

AUTHOR

162       Written by Sebastien Pouliot
163
165       Copyright (C) 2003 Motus Technologies.  Copyright (C) 2004-2005 Novell.
166       Released under BSD license.
167

MAILING LISTS

169       Visit    http://lists.ximian.com/mailman/listinfo/mono-devel-list   for
170       details.
171

WEB SITE

173       Visit http://www.mono-project.com for details
174

SEE ALSO

176       signcode(1)
177
178
179
180                                                                Mono(MakeCert)
Impressum