Is it possible to set Key Usage attributes using makecert, or any other tool I can use to generate my own test certificates?
The reason I'm interested is that certificates used for BizTalk Server AS2 transport require a key usage of Digital Signature for signing and Data Encipherment or Key Encipherment for encryption/decryption, and I want to play around with this feature.
I see how to set enhanced key usage attributes with makecert, but not key usage.
Digital Signature,Data Encipherment and Key Encipherment can be add by using the PowerShell Cmdlet
New-SelfSignedCertificate
. One of theNew-SelfSignedCertificate
Parameters isKeyUsage
where you can add DigitalSignature, DataEncipherment and KeyEncipherment.New-SelfSignedCertificate is described on technet (https://technet.microsoft.com/library/hh848633)
Sample:
The sample covers client authentication and server authentication and creates the certificate at the current user store under my.
MakeCert doesn't let you specify key usage, only extended key usage. I think you need a CA to create a broader certificate.
You can setup your own CA with ubuntu server. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
You can use the -eku option to specify the key usage to your certificate.
See details here: http://msdn.microsoft.com/en-us/library/aa386968(VS.85).aspx
While you cannot make a self-signed cert and set the Enhanced Key Usage parameters using
makecert
I thought I'd save everyone the trouble of trying to use go down the path of using OpenSSL to generate a cert on Windows. Instead, you can usecertreq
(which is available if you already havemakecert
) and fashion your own request to set the required parameters.For example, this sets up a cert with an EKU of Document Encryption (1.3.6.1.4.1.311.80.1) and key usages of Key Encipherment and Data Encipherment.
Create a new file,
MyCert.inf
:Just set the
Subject
to whatever you need.Then run:
This will generate the public key (X509 cert) and install it to your Current User personal store on the machine. You can export it from there if you want.
I used this to generate a certificate for encrypting PowerShell DSC, for testing.
For more details: https://technet.microsoft.com/en-us/library/dn296456.aspx#BKMK_New