CertTools Logo
CertTools

makecert Commands (Deprecated)

Reference for the deprecated makecert tool - replaced by New-SelfSignedCertificate in PowerShell and modern certificate tools.

← Back to All References

⚠️ Deprecation Notice

Deprecated Tool:

makecert.exe is deprecated and should NOT be used for new projects. It was removed from Windows SDK 8.1 and later.

Modern Alternatives:

• PowerShell: New-SelfSignedCertificate cmdlet

• OpenSSL: Modern, cross-platform tool

• step CLI: Modern PKI toolkit

This Reference Provided For:

• Legacy system maintenance

• Understanding existing certificates created with makecert

• Migration planning from makecert to modern tools

Basic Certificate Creation

Create basic self-signed certificate

Generate simple self-signed certificate:

makecert -r -pe -n "CN=Test Certificate" -ss My -sr CurrentUser test.cer

Flags: -r (self-signed), -pe (private key exportable), -ss (store), -sr (store location)

Create with validity period

Specify certificate validity in months:

makecert -r -pe -n "CN=Test Certificate" -m 12 -ss My -sr CurrentUser test.cer

-m 12 = valid for 12 months

Create with specific key algorithm

Specify RSA key length:

makecert -r -pe -n "CN=Test Certificate" -len 4096 -a sha256 -ss My test.cer

-len 4096 = 4096-bit RSA key, -a sha256 = SHA-256 hash algorithm

Creating Certificate Authority

Create root CA

Create self-signed root certificate authority:

makecert -r -pe -n "CN=Test Root CA" -ss Root -sr LocalMachine \
  -a sha256 -len 4096 -cy authority -sv RootCA.pvk RootCA.cer

-cy authority = certificate type is CA, -sv = save private key to file

Sign certificate with CA

Create certificate signed by custom CA:

makecert -pe -n "CN=example.com" -a sha256 -len 2048 \
  -iv RootCA.pvk -ic RootCA.cer \
  -ss My -sr LocalMachine -sky exchange signed.cer

-iv = issuer's private key file, -ic = issuer's certificate, -sky = key type

Subject Alternative Names (Limited Support)

Add SANs (workaround)

makecert has limited SAN support - use extension file:

# Create request.inf file:
[Version]
Signature = "$Windows NT$"

[NewRequest]
Subject = "CN=example.com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1  ; Server Authentication

[Extensions]
2.5.29.17 = "{text}dns=example.com&dns=www.example.com&dns=api.example.com"

# Generate certificate request
certreq -new request.inf request.req

# Sign with CA (use certutil or CA web interface)
certreq -submit request.req signed.cer

# Install certificate
certreq -accept signed.cer

Common makecert Options

-r                 Create self-signed certificate
-pe                Make private key exportable
-n "CN=name"       Subject name
-a algorithm       Hash algorithm (sha1, sha256, sha384, sha512)
-len number        Key length in bits (default 1024, use 2048+ for security)
-m months          Validity period in months (default 12)
-b date            Valid from date (mm/dd/yyyy)
-e date            Valid to date (mm/dd/yyyy)
-sky exchange      Key type: exchange (encryption) or signature
-cy end|authority  Certificate type: end entity or certificate authority
-ss storename      Certificate store name (My, Root, CA, etc.)
-sr location       Store location (CurrentUser or LocalMachine)
-sv pvkfile        Save private key to .pvk file
-ic cafile         Issuer's certificate file
-iv pvkfile        Issuer's private key file
-eku OID[,OID]     Enhanced Key Usage OIDs
-h number          Max height of certificate chain (0 for end entity)
-in name           Issuer's certificate common name
-is storename      Issuer's certificate store name
-ir location       Issuer's certificate store location

Code Signing Certificates

Create code signing certificate

Certificate for signing executables and scripts:

makecert -r -pe -n "CN=MyCodeSigning" -a sha256 -len 2048 \
  -eku 1.3.6.1.5.5.7.3.3 -sky signature \
  -ss My -sr CurrentUser codesign.cer

-eku 1.3.6.1.5.5.7.3.3 = Code Signing extended key usage

Sign PowerShell script

After creating code signing certificate:

# Get certificate
$cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Where-Object {$_.Subject -like "*MyCodeSigning*"}

# Sign script
Set-AuthenticodeSignature -FilePath .\script.ps1 -Certificate $cert

Converting Certificate Formats

Convert PVK to PFX

Combine certificate and private key into PFX:

# Use pvk2pfx tool (part of Windows SDK)
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx -po "password"

# Or use certutil
certutil -mergepfx cert.cer cert.pfx

Migrating from makecert

PowerShell equivalent

Modern replacement using PowerShell:

# Old makecert command:
makecert -r -pe -n "CN=example.com" -ss My -sr LocalMachine test.cer

# New PowerShell equivalent:
$cert = New-SelfSignedCertificate \
    -DnsName "example.com" \
    -CertStoreLocation Cert:\LocalMachine\My \
    -KeyExportPolicy Exportable

# Export to file
$cert | Export-Certificate -FilePath test.cer

OpenSSL equivalent

Cross-platform alternative:

# Generate private key and self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 \
  -subj "/CN=example.com" -nodes

# Convert to PFX for Windows
openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

Migration checklist

Steps to migrate away from makecert:

1. Inventory existing makecert usage
   - Build scripts
   - Deployment automation
   - Development tools

2. Choose replacement tool
   - PowerShell: New-SelfSignedCertificate (Windows-only)
   - OpenSSL: Cross-platform, widely supported
   - step CLI: Modern, user-friendly

3. Test replacement in dev environment
   - Verify certificate properties match
   - Test with applications
   - Validate certificate chain

4. Update documentation and training

5. Gradually migrate production systems

6. Monitor for compatibility issues

See Also

PowerShell Cert Commands
Modern alternative to makecert
OpenSSL Commands
Cross-platform certificate creation

Important Notes

Deprecated Since 2016:

makecert was deprecated with Windows SDK 8.1 and is not included in Windows SDK 10+. Do not use for new development.

Security Concerns:

makecert uses weak defaults (1024-bit keys, SHA1). Always specify -len 2048 and -a sha256 minimum for security.

Limited SAN Support:

makecert has poor support for Subject Alternative Names. Use PowerShell or OpenSSL for multi-domain certificates.

Certificate Stores:

Common store names: My (Personal), Root (Trusted Root), CA (Intermediate), TrustedPeople, TrustedPublisher.

Private Key Files:

.pvk files created by makecert are proprietary format. Use pvk2pfx to convert to standard PFX format.

Not For Production:

Self-signed certificates from makecert should NEVER be used in production. Use proper CA-signed certificates.

Modern Alternatives:

PowerShell New-SelfSignedCertificate (Windows), OpenSSL (cross-platform), step CLI (modern), certbot (Let's Encrypt).

Legacy Documentation:

Original makecert docs (archived): docs.microsoft.com/previous-versions/dotnet/netframework-2.0/bfsktky3(v=vs.80)