Setting Key Usage attributes with Makecert

nlawalker picture nlawalker · Jun 2, 2010 · Viewed 11.1k times · Source

Is it possible to set Key Usage attributes using makecert, or any other tool I can use to generate my own test certificates?

The reason I'm interested is that certificates used for BizTalk Server AS2 transport require a key usage of Digital Signature for signing and Data Encipherment or Key Encipherment for encryption/decryption, and I want to play around with this feature.

I see how to set enhanced key usage attributes with makecert, but not key usage.

Answer

kamranicus picture kamranicus · Mar 22, 2016

While you cannot make a self-signed cert and set the Enhanced Key Usage parameters using makecert I thought I'd save everyone the trouble of trying to use go down the path of using OpenSSL to generate a cert on Windows. Instead, you can use certreq (which is available if you already have makecert) and fashion your own request to set the required parameters.

For example, this sets up a cert with an EKU of Document Encryption (1.3.6.1.4.1.311.80.1) and key usages of Key Encipherment and Data Encipherment.

Create a new file, MyCert.inf:

[Version]
Signature = "$Windows NT$"

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"

[NewRequest]
Subject = "[email protected]"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"

[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"

Just set the Subject to whatever you need.

Then run:

certreq -new MyCert.inf MyCert.cer

This will generate the public key (X509 cert) and install it to your Current User personal store on the machine. You can export it from there if you want.

I used this to generate a certificate for encrypting PowerShell DSC, for testing.

Example cert

For more details: https://technet.microsoft.com/en-us/library/dn296456.aspx#BKMK_New