Make a self-signed SHA256 SSL certificate

This article has been moved to its new home here:

I wrote an article about making an SSL certificate using MAKECERT here, but that example used the default SHA1 signature hash algorithm which is deprecating.  Therefore, instead of the command shown in Figure 6 on the referenced article, I recommend using this command, that includes the SHA256 attribute, similar to that shown in Figure 1:

makecert –a SHA256 -pe -iv benperkmeCA.pvk -n "" -eku -ss my -sr localmachine -sky exchange -ic BenperkmeCA.cer IIS-ServerCert-Benperk.cer

Figure 1, make a self signed certificate with stronger SHA hash algorithm

The MAKECERT tool is discussed here, where you can see that it supports numerous signature algorithms.  The executable itself is included in the Windows XP Server Tools package.  You might want to do some searching around for it and get it from there.

Comments (11)

  1. Patrice says:

    the command line does'nt work, says there is too much argument

    1. Daniel says:

      “the command line does’nt work, says there is too much argument”

      You problably have a dublicate of some argument, check if you got – SHA1 in your string.

  2. Hi Patrice, I am not able to reproduce that.  It did work for me.  Let me see if I can find a reproduction of that.

  3. Anon says:

    Will Windows 2012+ and therefore IIS support *self-signed certs* for SHA-1 after Jan 1st 2017 ?

    1. Adam says:

      Your internal PKI hierarchy may continue to use SHA1; however, it is a security risk and diligence should be taken to move to SHA256 as soon as possible.


  4. Griffin Pope says:

    This happens if you copy the command from this page. The dash symbol used on the webpage is not the actual – character used if you type it. So copy the command into notepad or something, then replace all of the – here by actually typing the minus character.

    1. Griffin Pope says:

      Actually there are other characters that are wrong too, probably should just manually retype rather than try to copy/paste.

  5. Lee says:

    Hi Patrice,

    The error you see “Error: Too many parameters” can be fixed by replacing all hyphens with minus signs in your command prompt. This forum post describes this fix in greater detail:

  6. sohil says:

    i can’t make the certificate for IIS.

    D:\>makecert -pe -iv tempsslCA.pvk -n “CN=sertempsslCA” -eku -ss my -sr localmachine -sky exchange -ic tempsslCA.cer IIS-ServerCert-tempssl.cer
    Error: Save encoded certificate to store failed => 0x5 (5)

    i got this error while creating the IIS certificate.
    plz reply me soon…

    1. @Sohil, did you open the command prompt as an administrator?

  7. dirk says:

    No support for sha256:

    -a The signature algorithm
    . Default to ‘md5’

Skip to main content