Tuesday, June 02, 2015

Security : Creating self-signed certificates

When you play around a lot with IIS and ADFS and SSL you need certificates and these will normally be self-signed.

You can create them through IIS but that's a pain (they are only valid for a year) and from Server 2012 R2 onwards, ADFS does not run on IIS so you are installing IIS simply for certificate creation?

I used to use the magic SelfSSL7 but that requires .NET 3.5 which isn't there by default on Server 2012 and upwards. (You could always install it as a role / feature).

So now I use "makecert".

Brock has blogged on this: makecert and creating ssl or signing certificates and also
Generating and using a certificate to authorise Azure Automation.

On Windows 8, you'll find makecert inside "Visual Studio Tools" / "Developer Command Prompt for VS2013". Remember to run as Admin.

We see:

C:\>makecert -?

Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
 -sk        Subject's key container name; To be created if not present
 -pe                 Mark generated private key as exportable
 -ss          Subject's certificate store name that stores the output
                     certificate
 -sr       Subject's certificate store location.
                        .  Default to 'CurrentUser'
 -#          Serial Number from 1 to 2^31-1.  Default to be unique
 -$       The signing authority of the certificate
                       
 -n        Certificate subject X500 name (eg: CN=Fred Dews)
 -?                  Return a list of basic options
 -!                  Return a list of extended options

C:\>makecert -!

Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Extended Options
 -tbs          Certificate or CRL file to be signed
 -sc           Subject's certificate file
 -sv        Subject's PVK file; To be created if not present
 -ic           Issuer's certificate file
 -ik        Issuer's key container name
 -iv        Issuer's PVK file
 -is          Issuer's certificate store name.
 -ir       Issuer's certificate store location
                        .  Default to 'CurrentUser'
 -in           Issuer's certificate common name.(eg: Fred Dews)
 -a       The signature's digest algorithm.
                        .  Default to 'sha1'
 -ip       Issuer's CryptoAPI provider's name
 -iy           Issuer's CryptoAPI provider's type
 -sp       Subject's CryptoAPI provider's name
 -sy           Subject's CryptoAPI provider's type
 -iky       Issuer key type
                        >.
 -sky       Subject key type
                        >.
 -l            Link to the policy information (such as a URL)
 -cy       Certificate types
                       
 -b      Start of the validity period; default to now.
 -m          The number of months for the cert validity period
 -e      End of validity period; defaults to 2039
 -h          Max height of the tree below this cert
 -len        Generated Key Length (Bits)
                        Default to '2048' for 'RSA' and '512' for 'DSS'
 -r                  Create a self signed certificate
 -nscp               Include Netscape client auth extension
 -crl                Generate a CRL instead of a certificate
 -eku ]>  Comma separated enhanced key usage OIDs
 -?                  Return a list of basic options
 -!                  Return a list of extended options
so Brock's:

makecert -r -pe -n "CN=%1" -b 01/01/2015 -e 01/01/2020 -eku 1.3.6.1.5.5.7.3.1 
-sky exchange -a sha256 -len 2048 -ss my -sr localMachine
-r = Self-signed
-pe =  Mark generated private key as exportable
-n =  Certificate subject X500 name
-b =  Start of the validity period
-e =  End of validity period
-eku = Comma separated enhanced key usage OID
-sky = Subject key type
-a = The signature's digest algorithm
-len = Generated Key Length (Bits)
-ss  = Subject's certificate store name that stores the output certificate
-sr =  Subject's certificate store location

I've never used the -eku option,

As per the other link:

makecert.exe -sky exchange -r -n "CN=your certificate's name" -pe -a sha256 
-len 2048 -ss My "your certificate's name.cer"

Enjoy!

No comments: