Creating Test Certificates with Makecert.exe

If you are developing web services and you need to implement WS-Security with x509 tokens then it is nice to be able to make some test certificates.  Although, Microsoft’s WSE 2.0 installation does include a pair of certificates that represent the client and server tokens, it does not take you far when you need to test multiple WS clients or servers that require multiple certificates. Follow the steps below to create your own public and private portions of a certificate. You will need the makecert tool provided to you by VS.NET 2003. If you have VS.NET 2003 installed then you already have it and to use it you just need to start up the VS.NET 2003 Command Prompt.

Step 1:

C:\makecert -n "CN=TestPublisher" -sky exchange -sv TestPublisher.pvk TestPublisher.cer

The above command creates a certificate with a subject certificate name of TestPublisher and a key type of exchange. I named the CN TestPublisher to represent the web service that is going to be published. The client test certificates could be named TestSubscriber1, TestSubscriber2, etc. Since these certs will be used for testing purposes only, I have used generic names. The -sv *.pvk option generates the private key file with a specific name. This file will be needed later to create the certificate which includes the private key portion. Lastly, *.cer is the filename of the certificate file. You will be prompted to enter a password to protect the private key file. Since this is a test certificate you can choose none or enter something meaningful. BE SURE TO RECORD IT SOMEWHERE! This file contains the certificate with the public portion only. Once the file is created, you may use this file for Request Encryption in your test client applications that represent the subscribers of your web services. Refer to the Makecert documentation for a complete listing of all the basic and extended options that can be used when generating a test certificate.

Step 2:

c:\cert2spc TestPublisher.cer TestPublisher.spc

This step creates a Software Publishing Certificate (SPC) file from your certificate file. An SPC can be used to sign code that is to be distributed to the public. You will need this file for the next step.

Step 3:

c:\pvkimprt -PFX TestPublisher.spc TestPublisher.pvk

In order to perform this step you will need to download PVK Digital Certificates File Importer Tool. This tool allows you to export your private key and certificate(s) to a pfx file which contains the private key portion of your certificate.

When you run the command you will be presented with the Certificate Export Wizard window. You will be prompted for a password if you entered one earlier when creating the *.pvk file. Just click next on the intro window:

a. Click Yes, export the private key. (This option will only appear if the private key is marked as exportable and you have access to the private key.)
b. Choose the default Personal Information Exchange - PKCS #12 (.PFX) Leave the other checkboxes unchecked.
c. At this point, you can enter a password to protect the private key and prevent others from exporting this certificate elsewhere. Since we are generating test certs, you may leave it blank.
d. Specify the filename to export to. For our example, I chose c:\TestPublisher Private.pfx.
e. Voilà! Your certificate file is generated and also installed into the LOCAL MACHINE\Personal store.

IMPORTANT
These certificates should be used for development only. DO NOT USE THEM IN PRODUCTION. Test certs have known to have performance issues so I would advise against using them for performance testing as well. Your performance testing results may become skewed as a result.

In the future, I hope to post an article that uses these certificates in a web service <-> client scenario. There are a couple of ways to implement the usage of the certs (POLICY vs code).

July 14, 2005 - Posted by monishnagisetty | Security | Security