locked
How to use makecert to create end certificate without the presence of the authority certificate's pvk file? RRS feed

  • Question

  • Dear ladies and sirs. Observe this simple batch file:

    makecert -n "CN=MyCA" -sr localmachine -ss root -a sha1 -cy authority -r -sv MyCA.pvk MyCA.cer
    del MyCA.pvk
    del MyCA.cer
    makecert -n "CN=il-mark-lt" -sr localmachine -ss my -cy end -pe -sky exchange -a sha1 -is root -ir localmachine -in MyCA

    However, the last makecert fails with the following error message:

    Error: Fail to acquire a security provider from the issuer's certificate
    

    Now, if I leave the pvk file the last command succeeds, but I do not want to leave it behind! So, how can I still be able to create an end certificate, but without the authority's pvk fle?

    Thanks.

    Sunday, February 27, 2011 7:37 PM

Answers

  • I'm not that familiar with makecert. But you do need the private of the CA cert to create an end entity cert that is issued by that CA. The CA cert's private key is needed to sign the end entity cert.

    In the first command, what happens if you leave off "-sv MyCA.pvk"  I would hope that it still generates a private key and stores it in the usual place and not as a pvk file. Then when you issue the next makecert command, it will find the CA's private key and use it to sign the end entity cert.

     

    Andrew

    • Marked as answer by Markell Monday, February 28, 2011 7:13 AM
    Sunday, February 27, 2011 8:31 PM

All replies

  • I'm not that familiar with makecert. But you do need the private of the CA cert to create an end entity cert that is issued by that CA. The CA cert's private key is needed to sign the end entity cert.

    In the first command, what happens if you leave off "-sv MyCA.pvk"  I would hope that it still generates a private key and stores it in the usual place and not as a pvk file. Then when you issue the next makecert command, it will find the CA's private key and use it to sign the end entity cert.

     

    Andrew

    • Marked as answer by Markell Monday, February 28, 2011 7:13 AM
    Sunday, February 27, 2011 8:31 PM
  • Monday, February 28, 2011 7:19 AM