CA for Makecert.exe RRS feed

  • Question

  • I hope this isn't a silly question, but when I generate a key pair using Makecert.exe, what is the Certifying Authority? I.e., how does the person I send a signed message to know that the included certificate is valid?
    Monday, October 3, 2011 12:29 PM

All replies

  • Well, he can't do this, if you use self-generated certificate and there's no CA involved, which would be trusted by the recipient. You would need to get an e-mail certificate from one of well-known CAs. CAs offer such certificates for a very moderate price (I even saw free offerings somewhere).
    Sincerely yours, Eugene Mayevski
    Monday, October 3, 2011 4:27 PM
  • Again, sorry if this is an ignorant question: but a certificate always has to be signed by the CA's Private Key, right?  So if I send someone a message signed by a self-generated certificate, the CA's signature is omitted?

    Monday, October 3, 2011 4:40 PM
  • If the certificate is self-generated, it's self-signed. While integrity of the certificate can still be validated, the attacker can replace the certificate altogether (i.e. create his own self-signed certificate). Still self-signed certificates make sense when you can pass them to the recipient via offline channels before using in message signing.  Then the user can add the certificate to the trusted certs list and check your signatures later.
    Sincerely yours, Eugene Mayevski
    Monday, October 3, 2011 4:56 PM
  • The CA is a authority to build trust between unknown entities. A computer system trust some CAs bound in the operation system already. Any certificate signed by those trusted CA will be trusted. If you create a certificate by MakeCert.exe, It will not be trusted by others immediately. To let that certificate be trusted by your friends, just send the .pfx that contains public key only to them, tell them import it to the trusted certificate store. If you want a certificate be trusted inside a company, you need to build a enterprise CA. If you want it be trusted on the Internet, you need to purchase it from one of well-known CAs.
    Wednesday, October 5, 2011 12:10 AM