Grant Killian's Blog

No, this has nothing to do with beer -- but maybe it should?

MakeCert Make Me Happy

We're talking about securing web applications in our ITPro class right now, and I thought I should add a little about MakeCert.exe. If you're developing applications that will use SSL encryption, such as an ecommerce system, it's important to configure your development environment (or at the very least your test environment!) with SSL so you can confirm everything functions properly. For example, the checkout portion of your ecommerce app will surely be protected with SSL, so your pages will need to be accessed with HTTPS instead of plain old HTTP. If you don't have an SSL certificate installed on the development server, you're asking for trouble when it comes time to migrate the app. Tracking Session variables and relative page references can be tricky when switching between HTTP and HTTPS!

The solution is so create a test certificate and use it in your development environment. Enter MakeCert.exe. MakeCert is a command line tool that will create a test certificate for you to use in place of a real one. Of course, you could buy a real certificate to test with, but why spend the $$$ if you don't need to. The Certificate companies like VeriSign and Thawte all issue test certificates, but the last time I checked they expired after 90 days or so. Plus, the company adds you to their propaganda email list and may even add you to their phone call solicitation list -- something I try to avoid (as an aside, check out www.mailinator.com for temporary email accounts to fool those email solicitors! Darrell Norton pointed this out to me several months ago.)

MakeCert lets you avoid all the above problems. The only negative with MakeCert is that you get a Security dialog box on every new SSL Session (since the test certificate is not from a trusted Certificate Authority), but you can address this if it bothers you and install the cert on your local machine; personally, in a dev environment, I like having the dialog popup visually notify me when entering SSL mode.

The version of MakeCert that installed with your Visual Studio .Net might be out-dated, but a newer version can be downloaded here: http://download.microsoft.com/download/platformsdk/Update/5.131.3617.0/NT45XP/EN-US/makecert.exe

For details on the command line arguments to create a testing, local Certificate, check out this succinct page: http://www.inventec.ch/chdh/notes/14.htm. If you don't feel like following the link, the command is as follows:

makecert -r -pe -n "CN=www.yourserver.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

Update: I should also point out Netscape and Mozilla don't like test certificates with MakeCert!

Happy .Netting!

Published Nov 23 2003, 08:44 PM by grant.killian

Comments

cillyMee@hotmail.com said:

Would you recommend any tutorial/reference on how to install and enable HTTPS with IIS? I know how to use "makecert.exe" to generate a test certificate for testing. I know how to use "Network Monitor" to sniff for passwords and stuff. I know how to bring up "Certificates" snap-in from "MMC" (Microsoft Management Console). But then how do I proceed from tehre..? There're many folders under "Certificate" snap-in. For example: Personal, Trusted Root CA, Intermediate CA... etc. None of which appears to be appropriate for the purpose of assigning a certificate to my web server. How do I proceed from here to enable SSL for my site? Thanks.

CillyMee@hotmail.com

# November 30, 2003 4:20 AM

tom williams said:

I was taking the MS C# .NET classes at FOSS Training in Kansas City.

After enabling the https for MSIE, I activated the service for certification so other students wouldn't get the popup to accept my https certificate. After this, their (the FOSS training facility) virus detection took our classroom offline. Please point this out to people who want to turn on https service.

-Tom.

# March 1, 2004 5:50 AM

Netscape compatibility said:

Just add the switch "-nscp" to generate netscape compatible certificate.

# March 12, 2004 1:50 PM

Webbeer said:

after running the command line code provided nothing happens. No certificate appears in the list of "existing certificates" available for use in IIS

How is the command line to be modified for use ?

The link to the website noted does not offer any other assistance.

help !

# May 1, 2004 3:37 PM

Andy said:

Hi:

Is there a freeware tool to use as an alternative to MakeCert? Something comparable to KeyTool (which is available in the Java world)?

The reason that I am asking is that we want to generate a CSR that we will use to get a certificate from VeriSign, but we can't use MakeCert to do it because MakeCert is fouling up our public key for some reason.

Thanks,

Andy

# May 5, 2004 9:43 AM

Random Thoughts of Jorriss said:

# May 13, 2004 9:37 AM

Vishwa Rao said:

I am new to makecert. I want to encrypt certain nodes in xml and associate with receiver 1 and another set of nodes in the same xml file and associate with another receiver 2. How to handle this with makecert?
Should I generate two x.509 certificates?
This means while generating certificate I should give different cn names? Then I encrypt with different certificates/keys. The receiver should identify and authenticate with its cn name, so right certificate can be used to decrypt.
How can this be done?

I have no idea. Can someone help?

# August 2, 2006 12:30 PM