Monday, October 29, 2007

Creating an X.509 Certificate for Testing

In order to create a self-signed X.509 Certificate that you can use in Visual Studio 2005, you need to use the makecert.exe and pvk2pfx.exe tools in "C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin\".

First open a command prompt and type the following command:

makecert.exe -r -pe -n "CN=X500 Name" -sky exchange -sv PrivateKey.pvk Certificate.cer

Where the following apply:

“CN=X500 Name” equals the X.500 name of the server • “PrivateKey.pvk” is the filename to contain the private key

“Certificate.cer” is the filename containing the certificate with the public key. Note that this file is by default a DER encoded binary X.509 certificate

To create a private key that you then can use with the certificate inside your Visual Studio 2005 project, type the following command:

pvk2pfx.exe -pvk PrivateKey.pvk -spc Certificate.cer -pfx PrivateKeyForVS.pfx

This creates a Personal Information Exchange (PFX) file called PrivateKeyForVS.pfx. This PFX file contains both your public and private key. By including this file in your Visual Studio project you can then sign your communications.

The certificate can be used as is from .NET 2.0+ to create an dX509Certificate2, but if you need to embed it in an XML file, then you'll need to convert it to a Base-64 encoded X.509 certificate first.

I'm sure there's another way to do this, but the solution that I have that works is as follows


File/Add-Remove Snap-In

Click Add

Select Certificates and click Add

Select Computer Account and click Next

Select Local Computer and click Finish

Click Close

Click OK

Expand the Certificates (Local Computer) node until the Personal node is visible

Right-click on the Personal node, select All Tasks and then Import…

Click Next, and on the next screen, Browse for the certificate file that you need to convert. Several formats are available for import

Click Next, and on the next screen, confirm that the certification will be placed in the Personal store

Click Next, and then review the summary screen before clicking Finish. The Certificate Import Wizard will confirm that “The import was successful”. The imported certificate will now appear under the Certificates (Local Computer) Personal Certificates node. Right-click on the certificate and select All Tasks, then Export…

Click Next, and on the subsequent screen, select the File Format as Base-64 encoded X.509 (.CER)

Click Next, and on the next screen Browse and select a suitable location for the exported certificate

Click Next, and then review the summary screen before clicking Finish. The Certificate Export Wizard will confirm that “The export was successful”. You can now safely delete the certificate from the Personal store, by right-clicking on the certificate and selecting Delete

If you open the exported certificate in Notepad (or equivalent), you will see something similar to:


Copy and paste the code between the BEGIN CERTIFICATE and END CERTIFICATE lines into the appropriate place in your XML file. I hope this helps someone, as I had to research this from several different places across the web.


Anonymous said...

Many thanks for this recipe!
I spent 2 days because doesn't know about this key "-sky exchange"

Sam said...

Thank you very much. It helped me a lot.