This is a short guide on how to create a self signed certificate in Windows and store it in files. There are many similar guides available out there, but most of them also imports the freshly created certificate into the certificate store. Sometimes I prefer to be able to create a certificate without polluting my certificate store.
In a developer command prompt (or a normal prompt where you have
pvk2pfx in the path) run these commands:
makecert -r -n "CN=www.example.com" -sv cert.pvk cert.cer pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx
Continue reading for explanation of the commands and switches.
makecert creates the certificate. When run, it will show a prompt where it is possible to enter a password for the private key of the cert.
|-r||Create a self signed certificate.|
|-n||Set the subject of the certificate (should be prefixed with CN=).|
|-sv||File to save the generated private key to. Should end in .pvk.|
|Finally give the file name of the certificate file. Should end in .cer.|
Two files will be created by
makecert. The .cer file contains the public information about the certificate and the .pvk file contains the private key. For ease of use, these two can be combined into a pfx file with the
pvk2pfx combines the private key and the public information about the certificate into a .pfx file.
|-pvk||pvk file with the private key to load.|
|-spc||Spc file with the public information about the cert – the .cer file from the previous step.|
|-pfx||Pfx file to create/overwrite.|
The pfx file can be loaded into the certificate store (double click on it in the windows explorer) or used directly from the code with the
X509Certificate2(string fileName) constructor.
Please be aware that the .pvk and .pfx files contains the private key for the certificate. Anyone with access to those files can spoof the identity of the certificate, so handle them appropriately.
To show the information about the certificate to someone else, the .cer file contains everything needed without revealing the private key.