如果安装visual studio 后,visual studio command 仍然无法识别 makecert.exe 命令。
则需要手动安装 Windows Software Development Kit (SDK) 。
安装后,在下列文件夹中可以找到相关exe。
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
下面是一些例子:
makecert -r -pe -n "CN=HOSTNAME" -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sv HOSTNAME.pvk HOSTNAME.cer
pvk2pfx -pvk HOSTNAME.pvk -spc HOSTNAME.cer -pfx HOSTNAME.pfx
Other examples:
- Creates a root certificate with exportable key and places it into the Trusted root auth store of the local computer:
makecert.exe -r -n "CN=SIL Root Cert" -pe -sr localmachine -ss AuthRoot -len 2048 -sky exchange -m 36 - Creates a Server SSL certificate based on the above Root cert and places it into the local computers personal store:
makecert.exe -n "CN=SILAggregator" -in "SIL Root Cert" -eku 1.3.6.1.5.5.7.3.1 -ir localmachine -is AuthRoot -pe -sr localmachine -ss My -len 2048 -sky exchange -m 36 - Creates a Client Auth certificate:
makecert.exe -n "CN=SILClientAuth" -in "SIL Root Cert" -eku 1.3.6.1.5.5.7.3.2 -ir localmachine -is AuthRoot -pe -sr localmachine -ss My -len 2048 -sky exchange -m 36 - Remote Desktop Gateway Sample:
a) Creates a root certificate with exportable key and places it into the Trusted root auth store of the local computer:
makecert.exe -r -n "CN=RootCA.mydomain.xxx" -pe -sr localmachine -ss AuthRoot -len 4096 -sky exchange -m 96 -a sha256
b) Creates the RDG Server SSL Server certificate based on the above Root cert and places it into the local computers personal store:
makecert.exe -n "CN=rdg.mydomain.xxx" -in "RootCA.mydomain.xxx" -eku 1.3.6.1.5.5.7.3.1 -ir localmachine -is AuthRoot -pe -sr localmachine -ss My -len 2048 -sky exchange -m 36 -a sha256
c) Use MMC -> Certificates -> Local Computer -> Personal -> select rdg.mydomain.xxx -> Export -> include private key extended key usage and all certificates in hierarchy -> save as .pfx -> bring to RDG -> import -> In RDG manager -> bind SSL new cert.
d) Use MMC -> Certificates -> Local Computer -> Trusted Root Certification Authorities -> select RootCA.mydomain.xxx-> Export -> No, do not export private key -> save as .cer -> bring to RDP Client -> import .cer to Trusted Root Certification Authorities -> retry RDP connection.