Create certificates via commands for testing purpose

I used the following commands to generate some certificates for testing purpose without building a certificate server:

Create a self-signed root authority


Run the command to create a self-signed root authority certificate and export the private key:

makecert  -n “CN=TempCA” -r -sv TempCA.pvk TempCA.cer

(It will pop up dialog box to ask you to provide the password for the private key. 2 files will be generated: TempCA.pvk and TempCA.cer)

Install the root certificate TempCA.cer to the trusted Root Certification Authorities Store



certmgr.exe -add -all -c “tempca.cer” -s -r localMachine Root

Create certificates


Server authentication certificate (e.g. for IIS):

makecert -pe -iv TempCA.pvk -n “CN=[your common name]” -eku -ss my -sr localmachine -sky exchange -ic TempCA.cer iis.cer

client authentication certificate (e.g. for IE):

makecert -pe -iv TempCA.pvk -n “CN=[your common name]” -eku -ss my -sr CurrentUser -sky exchange -ic TempCA.cer user.cer 

NOTE: Neither mycert.cer nor user.cer contains the private key. Therefore if you want to use these certificates on the machine other than the machine where you run the above commands, you need to export on this machine and import on the other machine.

Get the SHA1 hash of the certificate



certmgr -c -s -r localMachine MY

Create SSL binding for http.sys 


netsh http add sslcert ipport= certhash=[hash value] appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY

Where the hash value is the SHA1 hash Thumbprint. (Remove the space in the hash string)

Appid is your application id. I use IIS id here.

Bind the web site to port


Using appcmd to create ssl binding

appcmd.exe set config -section:system.applicationHost/sites /+”[name=’Default Web Site’].bindings.[protocol=’https’,bindingInformation=’*:443:’]” /commit:apphost



XinJin from APGC DSI Team

Comments (1)

  1. anonymous says:

    super useful.

Skip to main content