"Root Agency" Certificate Corrupted RRS feed

  • Question

  • By default, the makecert utility creates certificates whose root authority is "Root Agency".  For some reason, my Root Agency cert has become corrupted (invalid digital signature).  How can I restore a valid Root Agency cert?

    I tried exporting it and re-importing it, but it is still corrupted.

    Thursday, July 25, 2013 7:59 PM

All replies

  • I have a similar problem

    None of the windows files are showing a valid certificate.

    Some malware went into this system and made the User access control be extra extra annoying, so it's always broken.

    removed one instance of the virus, but it came back up.

    Thursday, July 16, 2015 6:06 AM
  • A security update a few years back added a (necessary) limitation that 512 bit RSA and DH keys are no longer considered valid.  This was necessary to stop some real attacks.

    The "Root Agency" cert used by MakeCert since the mid 1990s is based around a 512 bit RSA key (and is intentionally insecure anyway because everybody has the private key).  For some reason the security update that banned 512 bit keys didn't include a new "Root Agency 2" cert with a longer key.

    So the only workaround is to use different makecert options to create your own personal self-signed "Yourname test root" CA certificate, then use that to sign your own "Yourname test cert".

    Tuesday, March 29, 2016 3:46 PM