I'm trying to create a self sign certificate by makecert Here is what I do:
makecert -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -cy authority
-h 1 -a sha1 -sv "D:\TuyenTk CA.pvk" -r "D:\TuyenTk CA.cer"
makecert -n "CN=TuyenTk" -ic "D:\TuyenTk CA.cer" -iv "D:\TuyenTk CA.pvk"
-eku "1.3.6.1.5.5.7.3.3" -cy end -a sha1 -h 0 -sky exchange -pe "D:\TuyenTk.cer"
pvk2pfx -pvk "D:\TuyenTk CA.pvk" -spc "D:\TuyenTk CA.cer"
-pfx "D:\TuyenTk.pfx" -pi "myPassWord"
The first line is make self sign cert (CA cert), The second line is use CA cert sign other cert, and the last is generate pfx file to sign the exe file.
Though all above 3 commands is reported success, when I double click to TuyenTk CA.cer and TuyenTk.cer, in the Details tab windows tell that the basic constraints is critical. So when I use the TuyenTk.pfx file to sign my exe file, in the Digital Signatures Tab, the certificate is not valid: a certificate basic constraints extension has not been observed
I view cert's details before install it, and after install in trusted root or personal location of cert store, I still see the error.
How can I fix this problem? Thank!
To create your self-signed root CA certificate, try these options:
I left off "-h 1" to give you unlimited signing depth in the basic constraints; some SSL packages don't like unlimited path lengths, so you can either have layers of keys or put in "-h 5" or whatever value you feel will serve your needs. Switches I added:
I also added an underscore (instead of a blank) in the name; may not be necessary, but my certificate files do not have spaces (these utilities can be odd sometimes).
When you import the CA certificate, make sure you do so into the "Trusted Root Certification Authorities\Local Computer" physical store location. For instance, use this from an Admin cmd prompt:
These steps worked for me on XP and work today on Windows 7. Hope this helps!