Creating a Self Signed Certificate in Windows

This is a short guide on how to create a self signed certificate in Windows and store it in files. There are many similar guides available out there, but most of them also imports the freshly created certificate into the certificate store. Sometimes I prefer to be able to create a certificate without polluting my certificate store.

In a developer command prompt (or a normal prompt where you have makecert and pvk2pfx in the path) run these commands:

makecert -r -n "CN=www.example.com" -sv cert.pvk cert.cer
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx

Continue reading for explanation of the commands and switches.

makecert

makecert creates the certificate. When run, it will show a prompt where it is possible to enter a password for the private key of the cert.

Switch Explanation
-r Create a self signed certificate.
-n Set the subject of the certificate (should be prefixed with CN=).
-sv File to save the generated private key to. Should end in .pvk.
Finally give the file name of the certificate file. Should end in .cer.

Two files will be created by makecert. The .cer file contains the public information about the certificate and the .pvk file contains the private key. For ease of use, these two can be combined into a pfx file with the pvk2pfx command.

pvk2pfx

pvk2pfx combines the private key and the public information about the certificate into a .pfx file.

Switch Explanation
-pvk pvk file with the private key to load.
-spc Spc file with the public information about the cert – the .cer file from the previous step.
-pfx Pfx file to create/overwrite.

The pfx file can be loaded into the certificate store (double click on it in the windows explorer) or used directly from the code with the X509Certificate2(string fileName) constructor.

Privacy

Please be aware that the .pvk and .pfx files contains the private key for the certificate. Anyone with access to those files can spoof the identity of the certificate, so handle them appropriately.

To show the information about the certificate to someone else, the .cer file contains everything needed without revealing the private key.

2 comments

    1. Yes, if you use the cert for a web server the pfx should be installed on the server. It is not necessary to install the cer on the PC, but if you don’t you will get certificate warnings because the client doesn’t recognize the self signed certificate.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.