13

I'm trying to create a website which uses SSL with a self-signed certificate.

Here's what I do:

Create authority certificate:

makecert -n "CN=root signing authority" -r -sv root.pvk root.cer

Create target certificate

makecert -r -pe -n "CN=localhost" -b 01/01/2012 -e 01/01/2020 -sky exchange localhost.cer -sv localhost.pvk

Sign the created certificate

makecert -ic root.cer -iv root.pvk -n "CN=localhost" -sv localhost.pvk -pe -sky exchange localhost.cer

Create a certificate with private key inside 

pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx

Now, I want to use firefox for debugging website. To do that, I need to import the authority root certificate (root.cer) into the trusted certificate list.

However, when I'm trying to do this, I'm getting following error message:

This is not a certificate authority certificate, so it can't be imported into the certificate authority list.

I've done something similar with fiddler's authority certificate, and it went fine, which means that there's a problem with my process of creating authority certificate.

How do I properly create certificate authority certificates?

Matthew Haugen
  • 12,916
  • 5
  • 38
  • 54
Arsen Zahray
  • 24,367
  • 48
  • 131
  • 224

2 Answers2

13

Maybe you could try adding the -cy authority parameter on the root certificate creation, like that:

makecert -n "CN=root signing authority" -cy authority -r -sv root.pvk root.cer

Thus you declare you are creating an authority certificate and that should do the job.. or at least take you on track =)

I tried myself to create a root certificate using this commandline and to import it into Firefox: I can confirm that if you don't add the "-cy" parameter, Firefox will not consider that a valid root certificate.

Hope that helps!

Luke
  • 821
  • 17
  • 22
  • 1
    Arsen's question is two months old, but I thought it would be useful to reply it anyway =) – Luke Jan 18 '13 at 00:52
  • just a brief side-note to say that windows’ makecert.exe utility cannot set the SubjectAltName field and, since browsers are starting to check this one for HTTPS name validation, this could be a problem when you want to produce SSL/TLS certificates using makecert. There are alternatives like OpenSSL or powershell, though.. For details see https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/ – Luke May 03 '17 at 08:04
0

Two of the best and simple help pages:

https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/

https://blog.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/

Some examples:

certmgr.exe -add -all -c "benperkmeCA.cer" -s -r localMachine Root

makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer


makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer

makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer

makecert -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer
Pit J
  • 169
  • 8