Make a self-signed SHA256 SSL certificate
This article has been moved to its new home here: https://benperk.github.io/msdn/2015/2015-12-make-a-self-signed-sha256-ssl-certificate.html
I wrote an article about making an SSL certificate using MAKECERT here, but that example used the default SHA1 signature hash algorithm which is deprecating. Therefore, instead of the command shown in Figure 6 on the referenced article, I recommend using this command, that includes the SHA256 attribute, similar to that shown in Figure 1:
makecert –a SHA256 -pe -iv benperkmeCA.pvk -n "CN=benjamin-perkins.me" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer
Figure 1, make a self signed certificate with stronger SHA hash algorithm
The MAKECERT tool is discussed here, where you can see that it supports numerous signature algorithms. The executable itself is included in the Windows XP Server Tools package. You might want to do some searching around for it and get it from there.
Comments
Anonymous
January 29, 2016
The comment has been removed- Anonymous
March 02, 2017
The comment has been removed
- Anonymous
Anonymous
February 04, 2016
Hi Patrice, I am not able to reproduce that. It did work for me. Let me see if I can find a reproduction of that.Anonymous
September 08, 2016
Will Windows 2012+ and therefore IIS support self-signed certs for SHA-1 after Jan 1st 2017 ?- Anonymous
February 08, 2017
Your internal PKI hierarchy may continue to use SHA1; however, it is a security risk and diligence should be taken to move to SHA256 as soon as possible.from https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/
- Anonymous
Anonymous
September 21, 2016
This happens if you copy the command from this page. The dash symbol used on the webpage is not the actual - character used if you type it. So copy the command into notepad or something, then replace all of the - here by actually typing the minus character.- Anonymous
September 21, 2016
Actually there are other characters that are wrong too, probably should just manually retype rather than try to copy/paste.
- Anonymous
Anonymous
September 23, 2016
Hi Patrice, The error you see "Error: Too many parameters" can be fixed by replacing all hyphens with minus signs in your command prompt. This forum post describes this fix in greater detail: http://stackoverflow.com/questions/30202815/how-to-solve-too-many-parameters-error-when-using-makecertAnonymous
October 10, 2016
i can't make the certificate for IIS.D:>makecert -pe -iv tempsslCA.pvk -n "CN=sertempsslCA" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -ic tempsslCA.cer IIS-ServerCert-tempssl.cerError: Save encoded certificate to store failed => 0x5 (5)Failedi got this error while creating the IIS certificate.plz reply me soon...- Anonymous
October 18, 2016
@Sohil, did you open the command prompt as an administrator?
- Anonymous
Anonymous
May 22, 2017
No support for sha256:... -a The signature algorithm . Default to 'md5'