New-SelfSignedCertificate -DnsName *.clientcert.test -CertStoreLocation cert:\LocalMachine\My
makecert.exe ^
-n "CN=CARoot" ^
-r ^
-pe ^
-a sha512 ^
-len 4096 ^
-cy authority ^
-sv CARoot.pvk ^
CARoot.cer
pvk2pfx.exe ^
-pvk CARoot.pvk ^
-spc CARoot.cer ^
-pfx CARoot.pfx ^
-po Password1
makecert.exe ^
-n "CN=%1" ^
-iv CARoot.pvk ^
-ic CARoot.cer ^
-pe ^
-a sha512 ^
-len 4096 ^
-b 01/01/2020 ^
-e 01/01/2040 ^
-sky exchange ^
-eku 1.3.6.1.5.5.7.3.1 ^
-sv %1.pvk ^
%1.cer
pvk2pfx.exe ^
-pvk %1.pvk ^
-spc %1.cer ^
-pfx %1.pfx ^
-po Password1
makecert.exe ^
-n "CN=%1" ^
-iv CARoot.pvk ^
-ic CARoot.cer ^
-pe ^
-a sha512 ^
-len 4096 ^
-b 01/01/2020 ^
-e 01/01/2040 ^
-sky exchange ^
-eku 1.3.6.1.5.5.7.3.2 ^
-sv ClientCert.pvk ^
ClientCert.cer
pvk2pfx.exe ^
-pvk %1.pvk ^
-spc %1.cer ^
-pfx %1.pfx ^
-po Password1
- “You can add these two parameters: -sr LocalMachine ^ and -ss Root ^ to the upcoming command batch file” = add to the MAKECERT command in the .CMD file (not to the end of the file)
- In your CMD files you have ” -po Test123″ . But during the process we enter our own passwords… (so i deleted that line)
- At first i got the impression that i could invent my own ” -eku” identifier. I soon learned this is not the case. The OID says something about the use of the certificate:
- Encrypting File System (1.3.6.1.4.1.311.10.3.4)
- Code Signing (1.3.6.1.5.5.7.3.3)
- Secure Email (1.3.6.1.5.5.7.3.4)
- Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
- Client Authentication (1.3.6.1.5.5.7.3.2)
- Server Authentication (1.3.6.1.5.5.7.3.1)
-IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
