5

I need to quickly generate a self signed certificate on a Windows Server. I'd like to use the standard CLI tools that ship with it. I know I can use openssl.

dunxd
  • 9,482
  • 21
  • 80
  • 117
Marinus
  • 227
  • 1
  • 3
  • 10
  • 1
    My guess for the down vote here is that it appears you did little to no research for your question. I just did a simple web search and returned all sorts of results, let alone searching Server Fault for the same thing. – Brent Pabst Aug 03 '12 at 12:42
  • 1
    In fact, generating a self-signed certificate using ONLY those CLI tools which are available on 'vanilla' installations of Windows is not at all obvious. – David Bullock May 23 '13 at 02:27

2 Answers2

9

There is a way of doing it, using just %Windir%\System32\certreq.exe -new in.txt

... where in.txt is an input file in .ini syntax, as described in the documentation for certreq -new

The trick is to set RequestType = Cert. As per the note in the doc:

This option indicates a self-signed or self-issued certificate. It does not generate a request, but rather a new certificate and then installs the certificate.Self-signed is the default.

The doc is almost right ... a new self-signed certificate is installed (as can be verified by using certutil -viewstore). Don't let it confuse you though ... it still insists on throwing up a dialog to let you choose where to save the 'request' ... save it to keep the tool happy, and then delete it later.

David Bullock
  • 791
  • 3
  • 14
  • 20
2

There are all kinds of ways to do this. Next time simply searching the web should provide you with thousands of sites with instructions.

Either way the easiest way to generate certs, for me at least, is just to fire up IIS and use the SSL tools within IIS to request a certificate. Sure there are CLI tools, but the step by step wizard is a piece of cake to use without having to remember formatting.

If you really want to do this via the CLI you can follow these instructions and obtain the makecert tool from Microsoft: http://msdn.microsoft.com/en-US/library/bfsktky3(v=VS.80).aspx

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • 1
    Did not speak to the question at all. Makecert is not a standard CLI tools that ships with Windows servers. – David Bullock May 23 '13 at 02:29
  • @DavidBullock If you bothered to read the entire answer you would see that I posted a link to the tool as well as the help documentation. Since the OP simply asked if it was possible I provided two possible ways as well as documentation on how to do it. I'm glad you posted an additional method as that should also work. – Brent Pabst May 23 '13 at 16:08
  • 2
    the question as stated precludes makecert.exe as an answer, regardless of whether you linked to it or not. – David Bullock May 26 '13 at 03:13