MakeCert Hell

A few weeks ago, I was asked to help technical support with a new feature we are adding to our Media Streaming Server. Our developers added SSL to the Media Streaming Server, and technical support needed some SSL certificates for development and testing before we release it in mid-February.

Some years ago, I worked in the IT department, and I never delete anything. I just happened to have a few scripts that could help them streamline self-signed certificate creation.

   makecert -sv SignRoot.pvk -cy authority -r signroot.cer ^
      -n "CN=Certification Authority for Development" -ss root ^
      -sr localmachine

   makecert -iv SignRoot.pvk -ic signroot.cer -cy end -pe -n CN="" ^
      -eku -ss my -sr localmachine -sky exchange ^
      -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

These scripts had worked for me in the past, so I shared them with the group. A few days later Travis, one of the support engineers, told me that the scripts were not working. I went over to investigate. Because these scripts had always worked for me in the past, I pulled a Nick Burns, "Moooove!" because it had to be something Travis was doing wrong. I ran through the scripts, and everything seemed to be working.

But as I confidently looked away from the screen to look at Travis as I clicked the link, Chrome failed with a weak cipher error. A red-faced search of the error showed that the problem was that the certificate I had created had been signed using SHA128. Modern browsers require certificates to be signed with at least SHA256. That should be an easy parameter change fix; perhaps I can still save some face.

Unfortunate for me, Murphy was laying down the law that day. This was an old test machine and the version of MakeCert in the Windows 7.1 SDK bin folder was too old. To confuse things even more, the documentation for MakeCert.exe ".NET Framework (current version)" — I cannot emphasize the CURRENT VERSION part enough — is nothing but a link to the OLD documentation that says nothing about SHA256. Good grief!

More searching… I finally found the documentation for the latest version of MakeCert. Long story short, SHA256 first became available in MakeCert.exe 4.5, which is included with Visual Studio 2012 and later. Interesting side note: SHA128 is still the default in MakeCert 4.5.

Finally, the solution!

  1. Start an elevated Visual Studio 2012 or later command prompt. If I could make it flash without causing seizures, I would.
  2. Call MakeCert to create two certificates. One for an authority and another for the end point of
       makecert -sv SignRoot.pvk -cy authority –a sha256 -r signroot.cer ^
          -n "CN=Certification Authority for Development" -ss root -sr localmachine
       makecert -iv SignRoot.pvk -ic signroot.cer -cy end –a sha256 -pe ^
          -n CN="" -eku -ss my -sr localmachine ^
          -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
  3. Now, manually bind the certificate to the service with the certificate thumbprint and application GUID like so:
       netsh http add sslcert ipport= ^
          certhash=ff9a8ebcaf68797eff36f8ae9b0739a288292f50 ^

And voila! This time I watched carefully as I clicked the link. Chrome did not complain, and video was streaming over a secure connection!

Besides the LEADTOOLS Media Streaming Server, there are other places where it is useful to have a self-signed SSL certificate for testing and development. Self-signed certificates are great because they are free, easy and — some would argue most importantly — work with modern browsers! Another great example where these are perfect is a self-hosted WCF service class like our web scanning service. When a web page requires HTTPS, like Microsoft CRM, the self-hosted WCF service class must be called over an SSL encrypted connection, but that is a topic for another blog post.

It is my hope that someone out there finds this information useful and is saved the time it took me to figure it out.

Oh by the way, you’re welcome! Seriously, use the time you just saved and watch those Nick Burns videos from the link above.


Developer Advocate

This entry was posted in General and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *