Makecert: a certificate basic constraints extension has not been observed

Question

I'm trying to create a self sign certificate by makecert Here is what I do:

makecert -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -cy authority
-h 1 -a sha1 -sv "D:\TuyenTk CA.pvk" -r "D:\TuyenTk CA.cer"


makecert -n "CN=TuyenTk" -ic "D:\TuyenTk CA.cer" -iv "D:\TuyenTk CA.pvk" 
-eku "1.3.6.1.5.5.7.3.3" -cy end -a sha1 -h 0 -sky exchange -pe "D:\TuyenTk.cer"


pvk2pfx -pvk "D:\TuyenTk CA.pvk" -spc "D:\TuyenTk CA.cer" 
-pfx "D:\TuyenTk.pfx" -pi "myPassWord"

The first line is make self sign cert (CA cert), The second line is use CA cert sign other cert, and the last is generate pfx file to sign the exe file.

Though all above 3 commands is reported success, when I double click to TuyenTk CA.cer and TuyenTk.cer, in the Details tab windows tell that the basic constraints is critical. So when I use the TuyenTk.pfx file to sign my exe file, in the Digital Signatures Tab, the certificate is not valid: a certificate basic constraints extension has not been observed

I view cert's details before install it, and after install in trusted root or personal location of cert store, I still see the error.

How can I fix this problem? Thank!

On-topic here, I think, but if you don't get an answer you might try the security or cryptography sites. — Harry Johnston, Jun 23 '15 at 21:58

Drac · Answer 1 · 2015-06-28T10:23:40.007

To create your self-signed root CA certificate, try these options:

    makecert -r -pe -m 1200 -len 2048 -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -ss CA -sr CurrentUser -a sha1 -sky signature -cy authority -sv "D:\TuyenTk_CA.pvk" "D:\TuyenTk_CA.cer"

I left off "-h 1" to give you unlimited signing depth in the basic constraints; some SSL packages don't like unlimited path lengths, so you can either have layers of keys or put in "-h 5" or whatever value you feel will serve your needs. Switches I added:

    -pe              Make private key exportable
    -m 1200          Make CA key valid for 100 years (1200 months)
    -ss CA           This key goes into the CA certificate store
    -sr CurrentUser  Certificate store location
    -sky signature   Key type (use for signing)

I also added an underscore (instead of a blank) in the name; may not be necessary, but my certificate files do not have spaces (these utilities can be odd sometimes).

When you import the CA certificate, make sure you do so into the "Trusted Root Certification Authorities\Local Computer" physical store location. For instance, use this from an Admin cmd prompt:

    certutil -addstore -v root "D:\TuyenTk_CA.cer"

These steps worked for me on XP and work today on Windows 7. Hope this helps!

drac

Still have error. Don't know why. I'm using Windows 8.1 Pro 32 bit — NoName, Jul 01 '15 at 13:47
Can you post the steps you've taken and the results at each step? For instance, did the CA cert create? Were you able to install it into your Trusted Root Certification Authorities\Local Computer store? What options did you use to create the CA cert? What options/steps did you follow to create & sign the code-signing cert? What about signing the code (did you use SignTool? What options...?). — Drac, Jul 02 '15 at 00:03
Yes, it create successfully, and I can install it in Trusted Root\Local Computer. I copy your command then paste to command line, but remove the `-ss` and `sr`. Then I install it manualy. I see it in the cert store. Every thing is well, except `basic constraints`. I can use the CA cert to sign other cert, but any cert sign by this CA cert is also `basic constraints` warning — NoName, Jul 04 '15 at 08:47

Makecert: a certificate basic constraints extension has not been observed

1 Answers1