andrewabest · November 2, 2021 06:29
diff --git a/CreateCertificateAuthorityCert.bat b/CreateCertificateAuthorityCert.bat
 :: Courtesy of http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development

 :: To see what certificates you currently have on your PC, open MMC (Run->mmc.exe), click "File->Add/Remove Snap-in", select Certificates from the left list, click "Add". Select "My user account", which will mean the snapin will show certificates that are stored specifically for your Windows user account. Select Certificates from the list again and "Add" it, then this time select "Computer account". This snapin will show certificates belonging to the machine specifically, and will apply across all accounts. Press Finish, then OK. I suggest you Save this MMC arrangement, so you can get back to it more easily in the future (File->Save).

 :: Expand "Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates". This folder shows you all the Certificate Authorities that your computer trusts.

 :: So now we need to create our own Certificate Authority certificate. Open the Visual Studio Command Prompt as Administrator. CD to some place you want to store your certificate files. Here's the command for makecert to create your certificate authority, along with an explanation of each of the options you pass to makecert:

 :: Note that CN must match the host name! http://technet.microsoft.com/en-au/library/dd891009.aspx

 "c:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=domainnameormachienname" -cy authority -a sha1 -sv "Certificate_Authority_Private_Key.pvk" -r "Certificate_Authority.cer"
         
 ::  -n            : The certificate name. CN stands for Common Name and is the name that 
 ::                  identifies the certificate. For websites, this is their domain name.
 ::  -cy authority : Creates a certificate authority certificate
 ::  -a sha1       : Use the SHA1 algorithm
 ::  -sv           : The private key to use, or create.
 ::  -r            : Create a self-signed certificate (so that you are the root of the certificate chain)
 ::  *.cer         : The filename to export to

 :: You can now install your new certificate authority certificate into the trusted store. To do this, simply go to your MMC console, right click on "Trusted Root Certification Authorities", go "All Tasks", then "Import". Select your new certificate, and when it asks you where to put the certificate, ensure that it goes into "Trusted Root Certification Authorities". Your computer now implicitly trusts all certificates signed by that new certificate authority.
diff --git a/CreateClientCertificate.bat b/CreateClientCertificate.bat
 :: Courtesy of http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development

 :: Now we need to create a client certificate that is signed by our new certificate authority. You can do this one of two ways. The first way is to create a certificate and store it and its private key in the Windows Certificate Store (what you see in MMC). This is how you do that:

 :: Note that CN must match the host name! http://technet.microsoft.com/en-au/library/dd891009.aspx

 "c:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=domainnameormachienname" -ic "Certificate_Authority.cer" -iv "Certificate_Authority_Private_Key.pvk" -a sha1 -sky exchange -pe -sr localmachine -ss my "myapp.cer"
         
 ::  -n            : The certificate name. CN stands for Common Name and is the name that 
 ::                  identifies the certificate. For websites, this is their domain name.
 ::  -ic           : The certificate to use as the root authority
 ::  -iv           : The private key of the root authority certificate
 ::  -a sha1       : Use the SHA1 algorithm
 ::  -sky exchange : Create a certificate that can do key exchange
 ::  -pe           : Makes the certificate's private key exportable
 ::  -sr           : The certificate store location to hold the certificate (currentuser or localmachine)
 ::  -ss           : The certificate store name. my is the Personal store
 ::  *.cer         : The filename to export to

 :: It will ask you for the certificate authority's private key's password, so that it can use the private key to sign your certificate. It then will store your certificate (and its private key) in the current user's Personal store. You should be able to see it in MMC. It will also create a copy of the certificate on the hard drive.
diff --git a/CreateCodeSigningCertificate.bat b/CreateCodeSigningCertificate.bat
 :: Courtesy of http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows

 makecert -n "CN=domainnameormachienname SPC" -ic Certificate_Authority.cer -iv Certificate_Authority_Private_Key.pvk -a sha1 -sky signature -pe -cy end -sv SPC_Private_Key.pvk SPC.cer
         
 pvk2pfx -pvk SPC_Private_Key.pvk -spc SPC.cer -pfx SPC.pfx

 ::  -n            : The certificate name. CN stands for Common Name and is the name that 
 ::                  identifies the certificate. For websites, this is their domain name.
 ::  -ic           : The certificate to use as the root authority
 ::  -iv           : The private key of the root authority certificate
 ::  -a sha1       : Use the SHA1 algorithm
 ::  -sky signature: Create a certificate that can do code signing
 ::  -pe           : Makes the certificate's private key exportable
 ::  -cy           : Specifies the certificate type. Valid values are end for end-entity and authority for certification authority.
 ::  -sv           : Specifies the subject's .pvk private key file. The file is created if none exists.
 ::  *.cer         : The filename to export to
diff --git a/GetThumbprints.ps1 b/GetThumbprints.ps1
 # This will retrieve a list of all certs and their thumbprints in the LocalMachine certificate store
 # http://technet.microsoft.com/en-us/library/hh847761.aspx here are some examples of usage

 Get-ChildItem -Path cert:\LocalMachine -Recurse | select Subject, FriendlyName, Thumbprint | Format-List
	:: Courtesy of http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development

	:: To see what certificates you currently have on your PC, open MMC (Run->mmc.exe), click "File->Add/Remove Snap-in", select Certificates from the left list, click "Add". Select "My user account", which will mean the snapin will show certificates that are stored specifically for your Windows user account. Select Certificates from the list again and "Add" it, then this time select "Computer account". This snapin will show certificates belonging to the machine specifically, and will apply across all accounts. Press Finish, then OK. I suggest you Save this MMC arrangement, so you can get back to it more easily in the future (File->Save).

	:: Expand "Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates". This folder shows you all the Certificate Authorities that your computer trusts.

	:: So now we need to create our own Certificate Authority certificate. Open the Visual Studio Command Prompt as Administrator. CD to some place you want to store your certificate files. Here's the command for makecert to create your certificate authority, along with an explanation of each of the options you pass to makecert:

	:: Note that CN must match the host name! http://technet.microsoft.com/en-au/library/dd891009.aspx

	"c:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=domainnameormachienname" -cy authority -a sha1 -sv "Certificate_Authority_Private_Key.pvk" -r "Certificate_Authority.cer"

	:: -n : The certificate name. CN stands for Common Name and is the name that
	:: identifies the certificate. For websites, this is their domain name.
	:: -cy authority : Creates a certificate authority certificate
	:: -a sha1 : Use the SHA1 algorithm
	:: -sv : The private key to use, or create.
	:: -r : Create a self-signed certificate (so that you are the root of the certificate chain)
	:: *.cer : The filename to export to

	:: You can now install your new certificate authority certificate into the trusted store. To do this, simply go to your MMC console, right click on "Trusted Root Certification Authorities", go "All Tasks", then "Import". Select your new certificate, and when it asks you where to put the certificate, ensure that it goes into "Trusted Root Certification Authorities". Your computer now implicitly trusts all certificates signed by that new certificate authority.
	:: Courtesy of http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development

	:: Now we need to create a client certificate that is signed by our new certificate authority. You can do this one of two ways. The first way is to create a certificate and store it and its private key in the Windows Certificate Store (what you see in MMC). This is how you do that:

	:: Note that CN must match the host name! http://technet.microsoft.com/en-au/library/dd891009.aspx

	"c:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe" -n "CN=domainnameormachienname" -ic "Certificate_Authority.cer" -iv "Certificate_Authority_Private_Key.pvk" -a sha1 -sky exchange -pe -sr localmachine -ss my "myapp.cer"

	:: -n : The certificate name. CN stands for Common Name and is the name that
	:: identifies the certificate. For websites, this is their domain name.
	:: -ic : The certificate to use as the root authority
	:: -iv : The private key of the root authority certificate
	:: -a sha1 : Use the SHA1 algorithm
	:: -sky exchange : Create a certificate that can do key exchange
	:: -pe : Makes the certificate's private key exportable
	:: -sr : The certificate store location to hold the certificate (currentuser or localmachine)
	:: -ss : The certificate store name. my is the Personal store
	:: *.cer : The filename to export to

	:: It will ask you for the certificate authority's private key's password, so that it can use the private key to sign your certificate. It then will store your certificate (and its private key) in the current user's Personal store. You should be able to see it in MMC. It will also create a copy of the certificate on the hard drive.
	:: Courtesy of http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows

	makecert -n "CN=domainnameormachienname SPC" -ic Certificate_Authority.cer -iv Certificate_Authority_Private_Key.pvk -a sha1 -sky signature -pe -cy end -sv SPC_Private_Key.pvk SPC.cer

	pvk2pfx -pvk SPC_Private_Key.pvk -spc SPC.cer -pfx SPC.pfx

	:: -n : The certificate name. CN stands for Common Name and is the name that
	:: identifies the certificate. For websites, this is their domain name.
	:: -ic : The certificate to use as the root authority
	:: -iv : The private key of the root authority certificate
	:: -a sha1 : Use the SHA1 algorithm
	:: -sky signature: Create a certificate that can do code signing
	:: -pe : Makes the certificate's private key exportable
	:: -cy : Specifies the certificate type. Valid values are end for end-entity and authority for certification authority.
	:: -sv : Specifies the subject's .pvk private key file. The file is created if none exists.
	:: *.cer : The filename to export to
	# This will retrieve a list of all certs and their thumbprints in the LocalMachine certificate store
	# http://technet.microsoft.com/en-us/library/hh847761.aspx here are some examples of usage

	Get-ChildItem -Path cert:\LocalMachine -Recurse \| select Subject, FriendlyName, Thumbprint \| Format-List