makecert fails - Error: CryptCertStrToNameW failed

Question

I'm on a Windows Vista system.
I download the microsoft sdk in order to be able to make certificates for this application I'm trying to get loaded.

based on the installation manual, I type the following command to create a certificate:

C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin>makecert -n "CN=norcron-develop
" -pe -sr localMachine -ss My -a sha1 -sky exchange

I've had a number of people look at the command and everyone seems to think it is valid.
However, I get the following error:

Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597)
Failed

There are no other certificates set up currently.
The makecert version is 6.0.6000.16384

Help ... I'm stuck.
Thanks
Eric 

Answer 1

The command runs correctly on my version.  Are you running as an admin or a normal user?  You should get a different error if you were running as a normal user and it tries to write the file out.  However if the underlying implementation relies on the same keys that assembly signing does (and I believe it might) then only admins have the necessary privileges to access the keys that you'd need to run it.  In this case you might get the error you're seeing.

Michael Taylor - 10/27/08
http://p3net.mvps.org

Answer 2

I am running as an admin user - that's what is making this so strange.
What's even stranger is that I did this exact same command (I think) about 4 weeks ago and it worked just fine. This machine never gets used, so nothing should have changed.
I thought maybe the new certifcate was conflicting with the old one, so I cleared out all certificates - still no go.
I have tried this under different user id's - all admin users and it just will not work.
I thought the problem might be the '-' in the name, so I removed that - that's not the problem.
I'm just totally at a loss.
Eric

Answer 3

Do you have UAC enabled?  If so are you explicitly running with the "Run As Administrator" option or are you just running it via your profile (in which case you aren't really an admin)?  Does the event log show anything useful?  Are you running SP1 of Vista?  x86 or x64?

I'm still leaning toward a security issue because it seems the most likely cause since we know the command works otherwise.  You can try using Process Monitor to monitor the file and registry operations for security issues.  If it doesn't hit anything then it probably isn't security.

Another thing that perhaps can be causing you problems but which I can't confirm is domain policies.  Are you running on a domain?  If it worked a few weeks back but doesn't know I would also recommend that you look through the restore points and see what has been installed in the last few weeks to see if there is anything that might have changed.

Michael Taylor - 10/29/08
http://p3net.mvps.org

Answer 4

What is UAC and how can I check that it is enabled?

As far as the user goes, when I set it up, one of the options is to set it as an administrator - which I did. I have no idea if this is adequate or not. Are there other ways to set this up that I should be using?
Where do I check the event log? - I can try the command and then look at it.
We're running Vista Ultimate with service pack 1 - 32 bit.

Thanks
Eric

Answer 5

Hallo,
You get this error, when the CN contains characters not conform to X500. In your example you use a name such as "CN=norcron-develop". Here the "-" causes the problem. The same also goes for ".", "," and ";" If the user account was created with the character, you'll have to create a new account for that user before the call will work.

The bad thing about all this is that the operating system won't tell you that when you create the account.

Answer 6

Hi Eric,

What was the final solution to this problem?

I'm having the same problem on WinXP.
I have created few certificates with this command before this time. But, it's not working now!

---

CDP

Answer 7

Hi All,

I suffered the same problem attempting to make a ".crl" on my local XP box.  Since I was transferring other certs to our Windows 2008 server anyway, I also copied makecert.exe over as well.  makecert.exe was version 6.0.6000.16384.  Just for grins, I thought I would try

makecert -crl -n "CN=mycertname" -r -sv mycertname.pvk  mycertname.crl

It worked!  All told, it failed on XP with the above error, and worked like a charm on Windows Server 2008.

Don

Answer 8

OKay

I'm running XP Pro SP3, and i'm following the instructions found on this post:
Help with authenticode test certificate

I'm running the first command VERBATIM using the makecert 6.0.6000.16384 that is found in the
"C:\Program Files\Microsoft SDKs\WIndows\6.0a\Bin" folder and i'm getting the exact same error.  I've looked in the localmachine certificate store and the currentuser certificate store and the certificate name is not in existence anywhere.

Help?

Thanks
Jaeden "Sifo Dyas" al'Raec Ruiner

Exact Command Line:
makecert -n "CN=QuikWork Systems, LLC" -r -a sha1 -sv QuikWork.Systems.pvk QuikWork.Systems.cer -sr localmachine -ss root -sky signature

---

"Never Trust a computer. Your brain is smarter than any micro-chip."
PS - Don't mark answers on other people's questions. There are such things as Vacations and Holidays which may reduce timely activity, and until the person asking the question can test your answer, it is not correct just because you think it is. Marking it correct for them often stops other people from even reading the question and possibly providing the real "correct" answer.

Answer 9

You get this error, when the CN contains characters not conform to X500.

I removed comma from CN and got it working.

Answer 10

I got the same error, my issue was I was copy & pasting the makecert command from a Word doc. The quotes (") around CN as well as the dashes (-) were the issues. Once I manually typed the command in Notepad with proper quotes and dashes it was fine.

HTH

Answer 11

OKay

I'm running XP Pro SP3, and i'm following the instructions found on this post:
Help with authenticode test certificate

I'm running the first command VERBATIM using the makecert 6.0.6000.16384 that is found in the
"C:\Program Files\Microsoft SDKs\WIndows\6.0a\Bin" folder and i'm getting the exact same error.  I've looked in the localmachine certificate store and the currentuser certificate store and the certificate name is not in existence anywhere.

Help?

Thanks
Jaeden "Sifo Dyas" al'Raec Ruiner

Exact Command Line:
makecert -n "CN=QuikWork Systems, LLC" -r -a sha1 -sv QuikWork.Systems.pvk QuikWork.Systems.cer -sr localmachine -ss root -sky signature

---

"Never Trust a computer. Your brain is smarter than any micro-chip."
PS - Don't mark answers on other people's questions. There are such things as Vacations and Holidays which may reduce timely activity, and until the person asking the question can test your answer, it is not correct just because you think it is. Marking it correct for them often stops other people from even reading the question and possibly providing the real "correct" answer.

Thanks. your command line work well!