How to create certificate authority certificate with makecert?

Arsen Zahray picture Arsen Zahray · Nov 11, 2012 · Viewed 12k times · Source

I'm trying to create a website which uses SSL with a self-signed certificate.

Here's what I do:

Create authority certificate:

makecert -n "CN=root signing authority" -r -sv root.pvk root.cer

Create target certificate

makecert -r -pe -n "CN=localhost" -b 01/01/2012 -e 01/01/2020 -sky exchange localhost.cer -sv localhost.pvk

Sign the created certificate

makecert -ic root.cer -iv root.pvk -n "CN=localhost" -sv localhost.pvk -pe -sky exchange localhost.cer

Create a certificate with private key inside

pvk2pfx.exe -pvk localhost.pvk -spc localhost.cer -pfx localhost.pfx

Now, I want to use firefox for debugging website. To do that, I need to import the authority root certificate (root.cer) into the trusted certificate list.

However, when I'm trying to do this, I'm getting following error message:

This is not a certificate authority certificate, so it can't be imported into the certificate authority list.

I've done something similar with fiddler's authority certificate, and it went fine, which means that there's a problem with my process of creating authority certificate.

How do I properly create certificate authority certificates?

Answer

Luke picture Luke · Jan 16, 2013

Maybe you could try adding the -cy authority parameter on the root certificate creation, like that:

makecert -n "CN=root signing authority" -cy authority -r -sv root.pvk root.cer

Thus you declare you are creating an authority certificate and that should do the job.. or at least take you on track =)

I tried myself to create a root certificate using this commandline and to import it into Firefox: I can confirm that if you don't add the "-cy" parameter, Firefox will not consider that a valid root certificate.

Hope that helps!