2 .\" makecert manual page.
3 .\" Copyright 2003 Motus Technologies
4 .\" Copyright 2004-2005 Novell
6 .\" Sebastien Pouliot (sebastien@ximian.com)
10 MakeCert \- Create X.509 certificates for test purposes
13 .B makecert [options] certificate
15 Create an X.509 certificate using the provided informations. This
16 is useful for testing Authenticode signatures, SSL and S/MIME
21 Specify the certificate serial number.
24 Specify the subject Distinguished Name (DN).
27 Specify the issuer Distinguished Name (DN).
30 Create a self-signed, also called root, certificate.
33 Specify the private key file (.PVK) for the issuer. The private key in the
34 specified file will be used to sign the new certificate.
37 Extract the issuer's name from the specified certificate file - i.e. the
38 subject name of the specified certificate becomes the issuer name of the
42 Use the issuer's name from the specified parameter.
45 Specify the key container name to be used for the issuer.
47 .I "-iky [signature | exchange | #]"
48 Specify the key number to be used in the provider (when used with -ik).
51 Specify the cryptographic provider to be used for the issuer.
53 .I "-ir [localmachine | currentuser]"
54 Specify the provider will search the user or the machine keys containers for
58 Specify the provider type to be used for the issuer.
61 Specify the private key file (.PVK) for the subject. The public part of the
62 key will be inserted into the created certificate. If non-existant the
63 specified file will be created with a new key pair (default to 1024 bits RSA
67 Specify the key container name to be used for the subject.
69 .I "-sky [signature | exchange | #]"
70 Specify the key number to be used in the provider (when used with -sk).
73 Specify the cryptographic provider to be used for the subject.
75 .I "-sr [localmachine | currentuser]"
76 Specify the provider will search the user or the machine keys containers for
80 Specify the provider type to be used for the issuer.
83 Select hash algorithm. Only MD5 and SHA1 algorithms are supported.
86 The date since when the certificate is valid (notBefore).
89 The date until when the certificate is valid (notAfter).
92 Specify the certificate validity period in months. This is added to the
93 notBefore validity date which can be set with -b or will default to the
96 .I "-cy [authority|end]"
97 Basic constraints. Select Authority or End-Entity certificate. Only Authority
98 certificates can be used to sign other certificates (-ic). End-Entity can
99 be used by clients (e.g. Authenticode, S/MIME) or servers (e.g. SSL).
102 Add a path length restriction to the certificate chain. This is only
103 applicable for certificates that have BasicConstraint set to Authority (-cy
104 authority). This is used to limit the chain of certificates than can be
105 issued under this authority.
108 Add some extended key usage OID to the certificate.
110 .I "-p12 pkcs12file password"
111 Create a new PKCS#12 file containing both the certificates (the subject and
112 possibly the issuer's) and the private key. The PKCS#12 file is protected
113 with the specified password. This option is
117 Help (display this help message)
120 Extended help (for advanced options)
123 To create a SSL test (i.e. non trusted) certificate is easy
124 once your know your host's name. The following command will create a
125 test certificate for an SSL server:
130 $ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
134 In particular in the above example, the parameters used to build this
135 test certificate were:
138 Create a self-signed certificate (i.e. without an hierarchy).
140 .I "-eku 1.3.6.1.5.5.7.3.1"
141 Optional (as sadly most client don't require it). This indicates that
142 your certificate is intended for server-side authentication.
144 .I "-n \"CN=pollux\""
145 Common Name (CN) = Host name. This is verified the SSL client and must
146 match the connected host (or else you'll get a warning or error or
150 The private key file. The key (1024 bits RSA key pair) will be
151 automatically generated if the specified file isn't present.
154 The SSL certificate to be created for your host.
155 .SH KNOWN RESTRICTIONS
156 Compared to the Windows version some options aren't supported (-$, -d, -l,
157 -nscp, -is, -sc, -ss). Also PVK files with passwords aren't supported.
159 Written by Sebastien Pouliot
161 Copyright (C) 2003 Motus Technologies.
162 Copyright (C) 2004-2005 Novell.
163 Released under BSD license.
165 Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for details.
167 Visit http://www.mono-project.com for details