locked
makecert and increasing to 2048 with -len is not working if certificate of same name already exists RRS feed

  • Question

  • Hi all,

    I am utilizing makecert.exe to manage certificates. I have some old code that has been executed which generates certificates nicely

    Old code

    makecert.exe -pe -n "CN=CA_CERT_NAME" -r "CA_CERT_NAME.cer" -cy authority -a sha1 -sr localmachine -ss ROOT
    makecert.exe -sk CERT_NAME -ss MY -sky exchange -sr localmachine -n "CN=CERT_NAME" -ic "CA_CERT_NAME.cer" -is ROOT "CERT_NAME.cer" -cy end

    But I have a new requirement to increase size to 2048. So I delete the certificates generated above and run the lines below.

    New Code

    makecert.exe -pe -len 2048 -n "CN=CA_CERT_NAME" -r "CA_CERT_NAME.cer" -cy authority -a sha1 -sr localmachine -ss ROOT
    makecert.exe -len 2048 -sk CERT_NAME -ss MY -sky exchange -sr localmachine -n "CN=CERT_NAME" -ic "CA_CERT_NAME.cer" -is ROOT "CERT_NAME.cer" -cy end

    The CA certificate is fine and has a public key size of 2048 as expected. By the other certificate in the personal store does not reflect this and remains 1024.

    I have noticed

    1. If I change CERT_NAME it picks up the -len 2048 argument and generates a certificate of public key size 2048
    2. If I enter garbage for the -len option (e.g. -len asdf) it will display "Succeeded" and generate the certificate with size of 1024
    3. Newer versions of makecert.exe generate the same

    Finally

    • I am using makecert.exe 5.131.3617.0
    • Changing CERT_NAME is not an option for me

    Thanks for looking

    Carlo




    • Edited by cpangz Tuesday, February 26, 2013 11:24 PM
    Tuesday, February 26, 2013 8:47 AM

Answers

All replies

  • I have found out that removing certificates via certutil, X509Store class or even simply right click delete does not delete them from Key Storage (http://msdn.microsoft.com/en-us/library/bb204778(v=vs.85).aspx) in %ProgramData%Microsoft\Crypto\RSA\MachineKeys

    They are simply made not available or displayed.

    So when I try to create them again with an increased size the "cached" certificate in the key store is used but keeping its size.

    Thus I need to "flush" out the cached copy of the certificate. Manually traversing through the folder structure and deleting it works but I prefer a tool that does this automatically.

    Certutil.exe and Certmgr.exe deletes them but not from the key store. The X509Store.Remove method has the same results.

    Do I really need to write code to do this?

    Is there any other tool that can clean out the key store?

    Thursday, February 28, 2013 2:49 AM
  • I have found the code to remove the certificate from the machine container:

    http://blog.osamamirza.com/2011/10/create-save-and-delete-rsa-key-from.html

    I can now upgrade the certificate with makecert.exe with the new size by first deleting the older (1024 size) certificate from the machine container.

    So now I am good and the planets have aligned.

    • Marked as answer by cpangz Friday, March 1, 2013 4:32 AM
    Friday, March 1, 2013 4:32 AM
  • I'm very late, but another approach might be to use the -sk parameter to provide a new name for the key container (e.g. -sk LongKey ) so that the old key container is ignored.
    Tuesday, October 14, 2014 6:09 PM