"makecert.exe -in -eku" - Certificate to Secure Email

Q

How to create a new certificate to be used by someone to secure emails using "makecert.exe"?

✍: FYIcenter.com

A

If you want to create a new certificate for someone else to secure emails, you can use the "makecert.exe -is -in -eku" options as shown in this tutorial.

C:\fyicenter>
"\Program Files\Microsoft Visual Studio 8\sdk\v2.0\bin\makecert.exe" 
-n "CN=john@yourdomain.com" -is TestStore -in "FYIcenter Root CA" 
-ss TestStore -e "07/01/2013" -eku 1.3.6.1.5.5.7.3.4 -pe

Succeeded

What the above command was doing:

  • '-n "CN=john@yourdomain.com"' specifies the name of the owner of the new certificate.
  • '-is TestStore' specifies the issuer store where the issuer's private key and certificate is located.
  • '-in "FYIcenter Root CA"' specifies the issuer name which is the CN of the issuer certificate. This tells the command to sign the new certificate with this issuer's private key, instead of the default "Root Agency".
  • '-ss TestStore' specifies the subject store where new certificate will be saved.
  • '-e "07/01/2013"' specifies the expiration date of the new certificate.
  • '-eku 1.3.6.1.5.5.7.3.4' specifies the new certificate is for "Secure Email" purpose only.
  • '-pe' tells the command to make the new private key exportable.

You can verify the result in the certificate store using "certmgr.msc" tool:

makecert.exe - Signing Certificate to Secure Email
makecert.exe - Signing Certificate to Secure Email

 

"makecert.exe -in -eku" - Certificate for Server Authentication

"makecert.exe -r" - Create Self-Signed Root Certificate

Certificate Generation Tool "makecrt.exe" on Windows

⇑⇑ Windows Certificates Tutorials

2012-08-13, 13430👍, 0💬