1

I created a self-signed certificate that I then loaded into the Trusted Root Certification Authorities folder. This certificate acts as a trusted root for websites on my workstation. I am using makecert.exe to create certificates issued from that root certificate for each website and API that I host locally. Everything worked fine, until I imported my staging environment's self-signed trusted root certificate onto my workstation. I now have two certificates whose common names are, indeed, different. From the Issuer property of each certificate in MMC:

CN = MyComp Inc. Root Certificate Authority
CN = MyComp Inc. Root Certificate Authority - Staging

As soon as I imported my staging certificate, makecert.exe started failing with this error:

There are more than one matching certificate in the issuer's Root cert store

Here is the exact makecert.exe command line:

makecert.exe -pe -ss My -sr LocalMachine -n "CN=mysite.local, OU=Development" -is Root -ir LocalMachine -in "MyComp Inc. Root Certificate Authority" -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha512 -e "01/01/2020" -sky exchange -eku 1.3.6.1.5.5.7.3.1

To my eyes, it seems that makecert.exe is performing a "contains" when it searches for certificates matching the specified common name in the -is parameter, rather than an exact match.

Is there a workaround to this issue? Am I doing something wrong?

NathanAldenSr
  • 365
  • 1
  • 2
  • 10
  • makecert.exe is deprecated tool. You should avoid its use by using modern API, CertEnroll or certreq.exe tool (with updated INF syntax) – Crypt32 May 09 '15 at 07:45
  • I will take a look at `certreq.exe`, thanks. It doesn't appear quite as friendly as `makecert.exe` with regards to automation (which is how I'm using `makecert.exe`), though. – NathanAldenSr May 09 '15 at 16:28
  • I understand this. However, you should accept the fact that Microsoft retired this product and placed it to "not recommended for use anymore" list. On the other hand, Microsoft provides a set of API (CertEnroll) where you can create any certificate you want, updated certreq.exe tool and provide New-SelfSignecCertificate PowerShell cmdlet. Also you may take a look to my PS script: https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6 – Crypt32 May 09 '15 at 16:48
  • Regardless, I'm not really sure what this has to do with my question. `makecert.exe` works fine for generating self-signed certificates for development purposes; I don't use it in production. I am hoping to learn whether I am doing something wrong or whether it is, indeed, a bug in the tool. – NathanAldenSr May 10 '15 at 03:40
  • For what its worth, I'm running into exactly this problem. I'd be happy to use one of the other tools, but the MS documentation I'm using (https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/) only describes how to do it with makecert.exe. And I'm not enough of a crypto guy to be able to translate the 5000 weird parameters they require into the schema of another tool altogether. – Ken Smith Feb 05 '16 at 18:01

0 Answers0