Create a Self-Signed Server Certificate

Creating a Self-Signed Server Certificate

The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher’s name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

Makecert.exe includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.


makecert [options] outputCertificateFile

You can find a description of all of the command line options for Makecert here.


makecert -r -pe -n “” -eku -b 05/09/2012 -e 01/01/2059 -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 -sv

Download the makecert tool here.

To create a certificate using inetmgr

You can either use Internet Information Services Manager (IIS) or a command line utility called Certificate Creation Tool (makecert.exe) to create a self-signed Server Certificate.

  1. Click Start, and then click Run.
  2. Type inetmgr, and then click OK.
  3. In the left pane, click your server name to select it.
  4. In the main pane, double-click Server Certificates under the IIS section.
  5. In the Actions pane, click Create Self-Signed Certificate.
  6. In Specify a friendly name for the certificate, type a friendly name, and then click OK. You shall see a newly created certificate listed in the main pane.
  7. Close IIS Manager.

Export the Certificate

If you created the certficate using makecert.exe, you can use the certificate file.  However, if you created the certificate using IIS Manager, you must export it to a file before you can import it to Windows Certificate Store.

To export the certificate

  1. Click Start, and then click Run.
  2. Type certmgr.msc, and then click OK.
  3. In the left pane, expand Trusted Root Certification Authorities or Personal, and then expand Certificates.
  4. In the main pane, locate the certificate using the Friendly Name column.
  5. Right-click the certificate, poing to All Tasks, and then click Export.
  6. Click Next,
  7. Select No, do not export the private key, and then click Next.
  8. Select DER encoded binary X.509(.CER), and then click Next.
  9. Type the location and the file name for the certificate, and then click Next. The certificate extension is .cer.
  10. Click Finish.