Itiverba - Self signed certificate generator - Icon
Self Signed Certificate Generator
A powerful and easy-to-use application for creating, exporting, viewing and signing X.509 Certificates on Windows.
1. System Requirements / Installation:

You can download this application here: Download application (itisscg.zip).

Previous versions and the change log are available here: Version history.

System Requirements:
- Microsoft Windows 7, 8, 8.1, 10 or Microsoft Windows Server 2008R2, 2012, 2012R2, 2016.
- Microsoft .Net Framework 4.6 (or greater in 4.x).

Installation:
Open the file "itisscg.zip" and extract the file "itisscg.exe" to a folder of your choice.
Create a shortcut to the file "itisscg.exe" on the Windows Desktop or Start Menu if needed.


Quick Start: Create an SSL Certificate...


User interface language:
The languages available for the user interface are currently English and French. The language used is automatically selected according to the language of your Operating System. The default language is English.
You can force the use of a language by using a parameter in the command line: Command Line options.

Note: When you force the use of a language, some parts of this software may remain in the language of your operating system.




2. User interface organization:

The first three tabs are used to encode the properties of the new certificate. To create most of the self-signed certificates, you will only need to complete/modify the properties contained in the first tab; properties in the other tabs can be left to their default values.

The fourth tab, "Create Cert.", is used for certificate generation and to manage "XML certificate templates".

The fifth tab, "View/Tools", displays the certificate generation information and hosts some tools.

Certificates created with this application are stored in one of the Windows Certificate Store: "Current User/Personal (My)" or "Local Computer/Personal (My)".
You can choose to export them to a file while they are generated or later using the "Export" button located in the "View/Tools" tab.




3. "Properties" Tab:

Itiverba - Self signed certificate generator - certificate properties


3.1. Subject (CN) - ("Issued to", "domain name", "user name"):

The Subject of the certificate is the name of the entity the certificate is issued to.
The Subject must be a valid Distinguished Name (DN) (X.500 or Lightweight Directory Access Protocol (LDAP) format). A DN is made up of "attribute=value" pairs, separated by commas.

Here are 3 examples of Distinguished Names:
CN=testdomain.com

CN=testdomain.com, O=testorganisation, C=US

CN=Jeff Smith, OU=Sales, DC=testdomain, DC=com

(Where: CN = Common Name, O = Organization, C = Country, OU = Organizational Unit, DC = Domain Component …).

You must at least provide a Common Name (CN) for the subject of the certificate. The Common Name (CN) is the part of the Distinguished Name that is shown in the "Issued to:" zone when you display a certificate under windows.

If you enter the "Common Name" without the prefix "CN=" in this text box, the "CN=" part will be added for you automatically when leaving the subject text box (e.g. "testdomain.com" will become "CN=testdomain.com").

A basic check is performed when editing the Subject. If you get an error message when leaving this zone, the problem is often the use of unauthorized characters.

Itiverba - Self signed certificate generator - Subject editor You can use the "Edit" button to the right of the subject to show the "Subject Editor" window that will help you to encode the subject in the Distinguished Name format.

Note: The "Serial Number" text box in the "Subject editor" window is not the serial number that will be assigned to the certificate. This "serial number" is intended to be used for things like Social Security Number, National identification number…


3.2. Subject Alternative Name - ("SAN", "DNS Name", "URL", "E-Mail", …):

The Subject Alternative Name is an extension that allows you to add additional subject names to a certificate.
A basic check is performed when editing these data.

You can use various format :
- DNS Name (e.g. testaltdomain.com)
- IP Address (e.g. 123.1.32.132)
- URL (e.g. http://www.testdomain.com)
- Email address (RFC822 Name) (e.g. user.test@maildomain.com)
- X.500 Directory Name (Directory Address / Distinguished Name) (e.g. CN=usertest,DC=testdomain,DC=com)
- User Principal Name (UPN) (e.g. user@domain.com)
- Registered ID (OID) (e.g. 1.3.6.1.4.1.311.20.2.1 )
- Other Name (e.g. 1.3.6.1.4.1.311.20.2.3:user@domain.com)
- DS Object GUID (Directory Service Agent GUID) (e.g. {970043ae-da34-480d-82d7-54e6033097ba} )

Note 1: "User Principal Name" and "DS Object GUID" are sub-types of "Other Name", and will be found under "Other Name" in the certificate.

Note 2: To encode data for the "Other Name" type, there are 2 possible formats:
- "Plain Text" format:
OID:PLAIN_TEXT_DATA
Example: 1.3.6.1.4.1.311.20.2.3:user@domain.com

- "Base 64" format:
OID:[B64]BASE64_ENCODED_DATA
Example: 1.3.6.1.4.1.311.20.2.3:[B64]dXNlckBkb21haW4uY29t


3.3. Valid From – Valid To:

Validity period of the certificate.

Note: The time will always be 12:00:00 (Noon - Local Time). The dates/times are converted to UTC format in the certificate.


3.4. Private Key Length:

Sets the length, in bits, of the RSA Private Key. (Actually, a secure key length is 2048 or 4096 bits.)

Note: The longer the key, the longer the time to generate that key ! Depending on your computer (CPU), generating a long key can take a long time. Creating a 8.192 bits key can take anywhere from 2 to 15 minutes, and a 16.384 bits key length can take anywhere from 15 to more than 60 minutes depending on your computer.


3.5. Store Context:

Selects the "Windows Certificate Store" context to be used to store the new certificate and its Private Key ("Local Computer" or "Current User"). The certificate will be stored in the logical store named "Personal" (also referenced as "My").

Note: "Elevated Privileges" are needed to use the "Local Computer" context. You may need to run the software using the "Run as administrator" option to create certificate using the "Local Computer" context.


3.6. S/MIME Capabilities (Secure/Multipurpose Internet Mail Extensions):

Check this option to add the S/MIME Capabilities extension to the certificate.

The S/MIME Capabilities extension is used when sending and receiving encrypted email messages to report the recipient's decryption capabilities to the sender. This enables the sender to choose the most secure algorithm supported by both the sender and recipient.


3.7. Key Usage:

Check the boxes corresponding to the "Key Usage" you want to have in the new certificate.
If none of the Key Usage is selected, the "Digital Signature" Key Usage will be automatically added while generating the certificate.

The "No Key Usage" option allows you to add the "Key Usage" extension with no key usages specified (Value = 0x00 - Displayed by Microsoft as "Information Not Available").

Note: "CRL signing" and "Offline CRL signing" are the same (if you add one of them the other will also be present in the certificate).

Note: You can use the "SSL [X]" button to check with one click the "Key Usage" and "Enhanced Key Usage" required for an SSL Certificate.


3.8. Extended/Enhanced Key Usage (EKU):

Check the checkboxes corresponding to the "Extended/Enhanced Key Usage" (EKU) you want in the new certificate.
"Any Purpose / All Extended Key Usage" (2.5.29.37.0) is the last item in the EKU list.

The "Add" button allows you to add custom "Enhanced Key Usage OID" to the list. You can use the "OID Number" format or the "OID Friendly Name" format (must always be provided in your Operating System's language).
The new custom EKU OID will be added at the top of the list and checked automatically. If the OID is already in the list it will be automatically selected and checked.



4. "Extended Properties" Tab:

Itiverba - Self signed certificate generator - Extended Properties


4.1. Cryptographic Provider:

Cryptographic provider to use to generate the RSA Key pair.


4.2. Signature Hash Algorithm:

Hash algorithm to use to sign the new certificate.

Note: Today's secure algorithms are SHA256 and higher.


4.3.Serial Number (HEX):

Serial Number that will be assigned to the new certificate.
The serial number must be encoded in Hexadecimal format. (e.g. 10F50E8D2D2D2AA745210C).
If you leave it blank, a random serial number will be generated when the certificate is created.


4.4. Signer Certificate:

This function allows you to sign a certificate with another certificate. The signer certificate is usually a "Certification Authority" (CA) certificate (public/trusted or private). The subject of the signer certificate will be included in the "Issuer" ("Issued by") field of the new certificate, and its private key will be used to sign the new certificate. You can create CA certificates with this software (see Create a CA Certificate).

Use the button on the right to select a Signing Certificate from a Certificate Store.
After selecting a Signer Certificate, this text box will display the certificate path and thumbprint (System names are used to identify the store). Further useful information about the selected certificate will be displayed in the text zone under "Signer Info".

You can sign the new certificate with any other certificate that meets the following conditions:
  - Signer certificate must have a Private Key;
  - User must have access to the Private Key of the signer certificate; (Run as administrator if the certificate is located in "Local Computer");
  - Signer certificate must be present in one of the "Personal (My)" Certificate Store ("Current User\Personal" or "Local Computer\Personal");
  - Signer certificate should be present in the "Trusted Root Certification Authorities (Root)" store;
  - Signer certificate should have the "Certificate Signing" Key Usage.
(It is possible to sign a new certificate if this last condition is not met; however the resulting certificate chain will not be valid and Windows will display an error: "This certificate does not appear to be valid for the selected purpose.").

Note: Use a CER or DER file type to distribute your private CA Certificate to the users.

Note: To clear the "Signer Certificate" text box, click once in the text box and press the [DELETE] or [BACKSPACE] key on your keyboard.


4.5. CA Version:

Check the checkbox to add the "CA Version" extension and set the major/minor version number.

This is an extension specific to Microsoft. The version is set automatically by the CA Server when renewing a CA certificate: + 1.0 when renewed using the same RSA Key Pair, +0.1 when renewed with a new RSA Key Pair.


4.6. Basic Constraints:

Check the "Basic Constraints" checkbox to add these extensions to the new certificate.

The optional Basic Constraints extensions are used to indicate whether the Subject type is a "Certification Authority" (CA) or an "End Entity", and to limit the path length of the CA certificate chain.

When selecting "CA" as Subject Type, Basic Constraints extensions are always marked as critical and the following Key Usages are added when the certificate is generated: Certificate Signing, CRL Signing, and Offline CRL Signing.


4.7. Issuer Statement (Certificate Policy) ("User Notice", "CPS Pointer"):

The "Issuer Statement" is in fact a Certificate Policy (Issuance policy).
This section is a convenient way to encode a text or URL ("Issuer Statement" or "Disclaimer") that users can read by clicking the "Issuer Statement" button when viewing a certificate under MS Windows. The "Issuer Statement" data will be automatically added to the certificate policies while the certificate is generated. You must provide a "User Notice (Text)" and/or a "CPS Pointer (URL)" for the issuer's statement to be included in the new certificate.

P.E. Number (PEN, Private Enterprise Number) 1.3.6.1.4.1.: Enter your Private Enterprise Number here. If you don't have a PEN, you can leave this field empty, the default reserved PEN OID 1.3.6.1.4.1.0 will be used. PEN assignments are made through the Internet Assigned Numbers Authority (IANA).
(example: 123456 or 123456.1.100 => the full OID used will be 1.3.6.1.4.1.123456 or 1.3.6.1.4.1.123456.1.100)

All Issuance Policy: If you check this option, the "All Issuance Policy" OID (2.5.29.32.0) will be used instead of the PEN OID. If this option is checked, you shouldn't add any other policies to your certificate.

User Notice (Text): This is the field for entering the text version of the Issuer Statement (this is the text one can see in the "Disclaimer" window that appears when one click the "Issuer Statement" button of a certificate).

CPS Pointer (URL) (Certificate Practice Statement): This is the field for entering the URL of the online version of the "Issuer Statement" (this is the web page shown when one click on the "Issuer Statement" button of a certificate or on the "More Info" button at the bottom of the Issuer Statement window). The URL provided should begin with http (no https).
(e.g. http://www.testdomain.com/cpsstest)

Note: The "Issuer Statement" button could be grayed when displaying a certificate that is not trusted. To trust a new self-signed certificate you must move it (or place a copy of it) in the "Trusted Root Certification Authorities (root)" certificate store. You can use the "Copy Certificate to Store" option of this software or move/copy it using the Certificate plug-in for the MMC ("Microsoft Management console") included with Windows (see also: "certmgr.msc" and "certlm.msc").

Note: You can use the "Certificate Policy" encoder in the next tab to make your custom Issuance Policies.

Note: A click on the "Issuer Statement" button will show you the web page of the "CPS Pointer" only if no "User Notice" (Text) is found in the certificate. Otherwise it will display a window with the "User Notice" text, in this case the web page of the "CPS Pointer" is accessible by clicking the button "More Info" at the bottom of this window.



5. "Advanced Properties" Tab:

Itiverba - Self signed certificate generator - Advanced Properties


5.1. Custom Extensions:

The Custom Extensions section allows you to add any certificate extensions you want.
It is up to you to provide the data in the right format depending on the extension you add.
Most of the time, you will need to use hexadecimal format and provide ASN.1/DER encoded data.

Click the "Add" button to add a new custom extension.

Extension OID: The OID of the custom extension (e.g. 2.16.840.1.113730.1.1). You can enter the "Friendly Name" of the OID instead of the numbers; it will be automatically translated into OID numbers when leaving the text box only if the text you entered is known to the system (e.g. "Netscape Cert Type" will be translated to "2.16.840.1.113730.1.1").
The Friendly Name must always be provided in the language of your Operating System, regardless of the user interface language used in this software.

Extension Data: The data of the custom extension.

Data Encoding: Specifies the encoding type of the data provided in "Extension Data". A basic validation of the data against the encoding type is done when the OK button is clicked.


Example 1: Adding a custom extension based on a PEN (Private Enterprise Number).
Extension OID: 1.3.6.1.4.1.123456.100
Extension Data: Plain text sample data
Data Encoding: Plain Text


Example 2: Adding the "Netscape Cert Type" extension with the following capabilities: SSL CA, S/MIME CA, Signature CA.
Extension OID: 2.16.840.1.113730.1.1 (Netscape Cert Type)
Extension Data: 03020007
Data Encoding: Hexadecimal

"Extension Data" meaning (all values are bytes in hexadecimal format) :
03 (0x03) is the ASN.1 hexadecimal code for BIT_STRING.
02 (0x02) is the hexadecimal BIT_STRING content length in bytes [2 bytes].
00 (0x00) is the number of unused bit(s) in the BIT_STRING (set of flags – DER encoding).
07 (0x07) is the content byte of the BIT_STRING: 00000111 (SSL CA, S/MIME CA, Signature CA).

The bits of the last byte (07) are set according to the Netscape documentation:
(bits are numbered as follows: 01234567)
bit-0: SSL client,
bit-1: SSL server,
bit-2: S/MIME,
bit-3: Object Signing,
bit-4: Reserved for future use,
bit-5: SSL CA,
bit-6: S/MIME CA,
bit-7: Object Signing CA.

To make your custom "Netscape Cert Type" extension, simply replace the hexadecimal value of the last byte ("07" in our previous example) according to the Netscape documentation above. See examples below:

Example 2.1 - "Netscape Cert Type" extension with "SSL client" and "SSL Server" capabilities: Set the bits 0 and 1 of the flag byte to "1" : 11000000 which is "C0" in hexadecimal.
So the content of the Extension Data is: 030200C0

Example 2.2 - "Netscape Cert Type" extension with "Object Signing" and "S/MIME" capabilities: Set the bits 2 and 3 (zero based) of the flag byte to "1" : 00110000 which is "30" in hexadecimal.
So the content of the Extension Data is: 03020030

Note: Usage of the "Unused Bits" octet:
- In example 2.1: 030200C0 (11000000) becomes 030206C0 (the last 6 bits of the content octet are not used).
- In example 2.2: 03020030 (00110000) becomes 03020430 (the last 4 bits of the content octet are not used).

Tips: You can use the "Microsoft Calculator" to convert Binary format to Hexadecimal format.


Example 3: Adding/Building a complex Custom Extension: "CRL Distribution Points"



5.2 Certificate Policies (Issuance policies):

The Certificate Policies section allows you to add custom certificate policies.

Click the "Add" button to add a new certificate policy.

Policy OID: This is the OID for the new policy.
You can enter the "Friendly Name" of the OID; it will be automatically translated into OID numbers when leaving the text box only if the text you entered is known to the system (e.g. "All issuance policies" will be translated to "2.5.29.32.0").
The Friendly Name must always be provided in the language of your Operating System, regardless of the user interface language used in this software.

Policy Qualifiers: (Optional) Click on the "Add" button to add a new Policy Qualifier.

Qualifier Type: Allows you to select the qualifier type :
- URL (cps): URL format (CPS Pointer) (e.g. http://www.testdomain.com/cpstest.htm).
- User Notice (unotice): Plain text format (User Notice in "Issuer Statement")
- Flags (textnotice): You must provide a valid 32 bits (max) integer/flags (hexadecimal notation).

Qualifier Data: The data in the specified format.


Example 1: Adding "All issuance policies" with some text as "Issuer Statement":
Policy OID: 2.5.29.32.0 (All issuance policies)
Qualifier Type: User Notice (unotice)
Qualifier Data: User notice test text…

Example 2: Adding a custom policy OID with a flags value of "010F"
Policy OID: 1.3.6.1.4.1.123456.70.1
Qualifier Type: Root Program Flags (textnotice)
Qualifier Data: 010F

Note: To enable the "Issuer Statement" button, the Certificate must be moved or copied to the "Trusted Root Certification Authorities (root)" certificate store. You can use the "Copy Certificate to Store" option of this software or move/copy it using the Certificate MMC.)

Note: The qualifier type "Root Program Flags (textnotice)" is not available on Windows 7.



5.3 Application Policies:

This section allows you to add custom application policies.
The "Application Policies" extension is specific to Microsoft. It's an equivalent to "Extended Key Usage" but it is encoded like a Certificate Policy. Here you can add all the OIDs you have selected in the "Extended Key Usage" extension.

Click the "Add" button to add a new application policy.

Policy OID: This is the OID for the policy.
You can enter the "Friendly Name" of the OID (use OS language); it will be automatically translated into the OID number when you leave the text box. (e.g. "Document Signing" will be translated to "1.3.6.1.4.1.311.10.3.12").
The Friendly Name must always be provided in the language of your operating system, regardless of the user interface language used in this software.

Policy Qualifiers: (Optional) Click the "Add" button to add a new Policy Qualifier.


Example: Adding the "File Recovery" policy:
Policy OID: 1.3.6.1.4.1.311.10.3.4.1 (File Recovery)



6. "Create Cert." Tab:

Itiverba - Self signed certificate generator - Create Certificate


6.1. Cert. Store Friendly Name:

This is the Friendly Name of the certificate used in the Windows Certificate Store.

While entering certificate data, this name is automatically updated with a copy Common Name (CN) found in the certificate subject. You can customize the Friendly Name, but it will be reset to the Common Name's value each time you select the text box of the certificate subject.

The Friendly Name is only stored in the Windows Certificate Store (it will not be exported when exporting the certificate to a file).


6.2. PFX/P12 Password:

Password to protect the private key and certificate if you choose to export the new certificate in PFX or P12 file format.


6.3. Export Certificate to File:

If you check this option, the certificate will be exported after its generation to the selected file.

Supported file formats:

File formats with the Private Key:
- PFX (PKCS #12): This is the best file format to keep a complete backup of the new certificate. The file can be protected with a password.
- P12 (PKCS #12): Same as PFX format.
- PEM (Base 64 Encoded DER): This certificate format is widely used in the Linux/Unix world. This option exports the certificate and its RSA Keys to three separate files encoded in PEM format: Certificate File (*. PEM) + Private Key File [PKCS#1] (*_private_key. pem) + Public Key File [PKCS#8] (*_public_key. pem). Be careful when using the PEM format: the file containing the private key (*_private_key.pem) is not encrypted.


File formats without Private Key:
- CER (Base64 Encoded DER): This is a common file format to export certificate. This file format is the same as the PEM Certificate file.
- DER (Binary DER encoded): This format is also common under windows. The certificate is stored in its binary form.
- CRT (Binary DER encoded): Same as DER.
- PEM (Base64 Encoded DER): The PEM file without the suffix "_private_key" or "_public_key" (see above).


6.4. Copy Certificate to Store:

If you check this option, the new certificate will be automatically copied to the selected certificate store after it has been generated. If you want your computer to trust the certificate you are going to create, you must check this option and choose the certificate store "Trusted Root Certification Authorities" before the certificate is generated.

The store location (Current User or Local Computer) is automatically updated when the "Store Context" is modified in the first tab, but you can always select another Store Location if necessary.

Note: "Elevated Privileges" are required to use the "Local Computer" store location. You may need to run the software using the "Run as administrator" option.

Note: Some "Store Names" may not be available on some computers depending on the version of the operating system and other installed software.


6.5. Remove the Certificate from All Stores After Export:

If you check this option, all copies of the new certificate will be deleted from all certificate stores on your computer after the new certificate is generated. This option is useful for testing without having to keep all test certificates in your computer's certificate stores.

Note: By default, a new certificate is saved in the "Current User/Personal (My)" or "Local Computer/Personal (My)" store.

Note: You must give a filename in the "Export to File" section to use this option. This file will be the only copy left of the created certificate. You must choose the PFX (or P12) file format to save the Private Key with the new certificate.


6.6. Show Certificate after Creation:

If this box is checked, the new certificate will be automatically displayed after its creation.


6.7. "Create the Certificate…" button:

Click this button to start the generation of the certificate according to the parameters you have given. By default, the new certificate will be saved in the "Current User/Personal (My)" or "Local Computer/Personal (My)" certificate store.

The Certificate creation is done in a separate thread to allow this application to remain reactive during that time, but all functions will remain disabled during certificate generation.

At the end of the generation process, the "View/Tools" tab is automatically shown with a summary of the certificate, the certificate in Base64 format (CER/PEM), the RSA Private Key in PEM format and the RSA Public Key in PEM format.

Note: The Private Key displayed in text format after creation is not encrypted (even if it seems to be).

Note: Remember that the longer the Private Key, the longer the time it takes to create the certificate.


6.8. "Reset User Interface" button:

This button resets all fields to their default values.
All data encoded in the current instance of this software will be lost.


6.9. "Load from XML file" / "Save to XML file" buttons:

You can use these buttons to load/save the certificate data from/to a file formatted in XML.
You can also use this function to create "XML certificate templates".

Note: It is possible to load an "XML certificate template" file at startup using the following command line argument:
/X:XML_TEMPLATE_FILE
Usage example: itisscg.exe /X:"C:\xml cert template\sslcert.xml" ).



7. "View/Tools" Tab:

Information about the new certificate will be displayed in this tab after certificate generation.

The certificate path displayed in the text box at the top left is the path of the last generated certificate or the path of the last certificate accessed using another tool button ( [View ASN. 1] or [View Text] ).

When you use a tool that allows you to select a certificate from a certificate store, the default certificate selected in the list is the one whose path is displayed in the text box at the top left.


7.1. "Certificate"(Icon) button:

If a certificate path is present in the text box to the left of this button, you can click this button to open the certificate properties window.


7.2. "View ASN.1" button:

Clicking this button displays the content of a certificate using the ASN.1 representation.

- CLICK: Selects a certificate from a Certificate Store.

- [CTRL] + CLICK: Selects a certificate from a certificate file.
Regarding certificate files: You should select a CER/DER/PEM file format to view a certificate in ASN format; PFX/P12 file formats are encrypted certificate containers, so viewing this kind of file in ASN format would only show you the encrypted contents (the Certificate and Private Key inside the PFX structure).


7.3. "View Text" button:

This function displays a summary of all properties and extensions of the selected certificate.
It also displays the certificate in Base64 format (CER/PEM), the RSA Private Key in PKCS#1 PEM format and the RSA Public Key in PKCS#8 PEM format.

In the "[Private Key Status]" section you can check the accessibility and apparent exportability of the private key.
If you do not have the necessary rights to access the private key ("Accessible: False"), it will always be displayed as "Not Exportable". In this case, try again by running this application as an administrator to determine the real exportability status.

Example for a certificate with a private key located in "Local Computer".

Application executed as a user without "Elevated Privileges":
 [Private Key Status]
  Present: True
  Accessible: False
  Exportable: False

Application executed as administrator:
 [Private Key Status]
  Present: True
  Accessible: True
  Exportable: True


Note: Find more information about Private Keys and permissions here : More about Private Keys.

Note: The Private Key displayed in text format after creation is not encrypted.

Note: You can use this software to generate a RSA Key pair for any purposes.

Note: this function won't display the private key you don't have.


7.4. "Export" button:

This button allows you to export any certificate from a certificate store to a file. The program will ask you to choose the file format/extension after selecting the certificate.

Note: If you own the private key of a certificate and cannot export it, you either do not have the necessary access rights to read the private key or it is marked as "Not Exportable".
If you do not have the necessary rights, you can try again by running this application as an administrator.
You can check the accessibility of the private key in the "[Private Key Status]" section by displaying the certificate in text format using the "View Text" button in the "View/Tools" tab of this application.
Warning: the private key will always be displayed as "Not Exportable" if you do not have the necessary access rights.

Note: Exporting a certificate to a file format labeled "With Private Key" does not export the private key if you don't have it.


7.5. "Store" button:

Click this button to display the Microsoft Management Console to manage current user certificates (certmgr.msc).

If you press and hold the [CTRL] key while clicking this button, the Microsoft Management Console for the Local Computer (certlm.msc) will be displayed.

Note: Certlm.msc does not exist under Windows 7 (and 2008R2). You can create the file "certlm.msc" yourself using mmc.exe: add the "certificate/computer account/local computer" plugin and save the console settings to "%WINDIR%\System32\certlm.msc".



8. Example : Create an SSL Certificate for "testdomain.com" and export it to a file:

Example 1:
Subject: CN=testdomain.com

Key Usage: Digital Signature, Key Encipherment

Extended Key Usage: Server Authentication


Example 2: (You can use the "Edit" button to the right of the subject to display the "Subject Editor" window.)
Subject: CN=testdomain.com, O=TestOrganisation, OU=TestOrganisationUnit, L=TestCity, S=TestState, C=US

Subject Alt. Name (optional): DNS Name: testdomain.com

Key Usage: Digital Signature, Key Encipherment

Extended Key Usage: Server Authentication, Client Authentication

Note: You can use the "SSL [X]" button to check with one click the "Key Usage" and "Enhanced Key Usage" required for an SSL Certificate.

Itiverba - Self signed certificate generator - SSL certificate subject Itiverba - Self signed certificate generator - SSL certificate properties


Then click on the "Create Cert." tab and check "Export Certificate to File"; Select the PFX file type if you want to export the Private Key or select the CER file type if you don't want the Private Key; Select a destination folder, and enter the filename;

Itiverba - Self signed certificate generator - SSL Certificate creation


Note 1: If you check the "Copy Certificate to Store" checkbox and select "Current User / Trusted Root Certification Authorities" before generating the certificate, the certificate will be trusted by your computer.

Note 2: To protect the private key in the PFX file, enter a password in the "PFX/P12 File Password" textbox before generating the certificate.


Click the "Create the Certificate…" button.

Your new SSL certificate will be stored in the user certificate store named "Personal (My)", then exported to the selected file type.

Itiverba - Self signed certificate generator - SSL certificate




9. Example: Create a "CA Certificate":

Subject: CN="Testcorp - Private CA"

Basic Constraints: V (checked)

Basic Constraints / Subject Type: CA

Then click on the "Create Cert." tab and enter a password in the "PFX/P12 File Password" textbox;
Check "Export Certificate to File" and select the PFX file type to export the Private Key with the certificate (this file will be the backup of your CA certificate); Select a destination folder, and enter the filename;
Check "Copy Certificate to Store" and select "Current User"/"Trusted Root Certification Authorities";

Click the button "Create the Certificate…".

Your "CA Certificate" will be stored in the user certificate store named "Personal" (My), then copied in the store named "Current User / Trusted Root Certification Authorities" (so your "CA" will be trusted by your computer), finally it will be exported with its private key to the PFX file.



10. Example: Sign a custom "SSL Certificate" with a custom "CA Certificate":

(0. You must have a "CA Certificate" ready to use - see previous example "Create a CA Certificate".)

1. Encode the certificate data as described in the example "Create an SSL Certificate for "testdomain.com"...". But before you click the "Create the Certificate…" button, perform this next step:

In the second tab "Extended Properties", click the "Select Certificate" button to the right of the text box "Signer Certificate", and select your custom CA certificate.

2. Go to the "Create Cert." tab, and click the "Create the Certificate…" button.



11. Example: Adding a Custom Extension – "CRL Distribution Points":

12. Errors Messages:

Error code 0x80070005 (ERROR_ACCESS_DENIED): This error occurs when you do not have the necessary permissions to access a file, certificate store or the registry. Running this program as an administrator (or with a user account with elevated privileges) should solve the problem.



13. Command Line options:

\L:UI_LANGUAGE_CODE
Starts this application using the specified language for the user interface.
Usage: Replace UI_LANGUAGE_CODE with one of the following value: FR or EN
Example 1 (French): Itiverba.exe \L:FR
Example 2 (English): Itiverba.exe \L:EN

\X:XML_TEMPLATE_FILE_PATH
Starts this application and load the specified "XML Certificate Template" file.
Usage: Replace XML_TEMPLATE_FILE_PATH with the file path and file name of an XML Certificate Template file.
Example 1: Itiverba.exe \X:C:\certificates\templates\CertTemplateFile.xml
Example 2: Itiverba.exe \X:"C:\certificates\templates\Cert Template File.xml"

\?
Displays a message window with help on command line options.



14. About self-signed SSL certificates:

This software creates certificates for application development support, testing and use in local/private networks.

For a professional website (in production), you should purchase a Trusted Certificate from a trusted certificate vendor like Comodo, Symantec, GoDaddy, GlobalSign, DigiCert, or others.

Web browsers will issue a warning telling you that "There is a problem with this website’s security certificate" if you use a self-signed certificate (or a certificate signed by a CA of your own). The problem is that the certificate is not signed by a trusted root certification authority known to your computer/browser.

If you install the self-signed SSL certificate (or the CA certificate used to sign the SSL certificate) in your computer's Certificate Store named "Trusted Root Certification Authorities", you will no longer get the warnings from Web browsers anymore (because you told your computer that you trust this SSL certificate or the CA certificate that you have used to sign the SSL certificate).
This can be done automatically when creating the certificate by checking the "Copy Certificate to Store" checkbox and selecting the "Trusted Root Certification Authorities" store.

Be careful: do not distribute the Private Key with the Certificate if it is not necessary !
- *.CER, *.DER and *.PEM file types contain only the certificate. These file types do not include the private key and so there is no problem in making such files public.
- Warning: The PEM file type with the suffix "_private_key" (e.g. Domainetest.com_private_key.PEM) contains only the Private Key and must remain confidential.
- *.PFX and *.P12 file types include the Private Key in addition to thre certificate. These file types are "full backup" of your certificate and should be kept private.



15. More about X.509 Certificates:

In the IT world, a "Certificate" is in fact an "X.509 Public-Key Certificate".

X.509 is a standard defined by the "International Telecommunications Union - Telecommunication Standardization Sector" (ITU-T). This standard defines a framework for the Public-Key Infrastructure (PKI) that includes "Public-Key Certificates".

X.509 is based on ASN.1 standard (Abstract Syntax Notation One) for data structure and DER standard (Distinguished Encoding Rules) for data encoding. Both are optimized binary formats.
The hexadecimal format is the best way to make binary data readable for humans and computers, this is why we often encounter a lot of data in hexadecimal format when working with certificates. (Binary: 10001110 == Hexadecimal: 8e == Decimal: 142).

An X.509 certificate is a sort of signed list of data whose type and meaning are indicated by "Tags" and "Object Identifiers" (OIDs). One of the data is the subject, another is the Public Key, others are extensions...

OIDs are standardized identifiers managed by the International Telecommunications Union (ITU) and ISO/IEC. These identifiers are used in a wide range of applications to name "software objects" (that represents rules, concepts, organizations …) with a globally persistent and unambiguous name.
They are used to identify most of the data (or data structure) in an X.509 certificate, you will therefore often see OIDs when working with certificates.

OIDs Examples:
2.5.29 = Certificate extensions.
2.5.29.17 = Subject Alternative Name.
1.3.6.1.5.5.7.3.1 = Server Authentication (Secure Sockets Layer (SSL) server certificate).
1.3.6.1.4.1.9 = Private Enterprise Number (PEN) for "Cisco Systems, Inc".
1.2.840.113549.1.1.13 = Secure Hash Algorithm SHA-512 with RSA encryption (sha512RSA).

You can use the "View ASN.1" button in the "View/Tools" tab to get a relatively readable view of what's inside a certificate. You will see the ASN.1 tags, the OIDs, the data, as well as the whole structure of the certificate.
Itiverba - Self signed certificate generator - display certificate in ASN.1 format


Windows keeps certificates in one (or more) of its "Certificate Stores".
On Windows, most of the time you'll need to "install/import" a certificate before your system can use it. To install a certificate, double-click the certificate file to display its Properties Window, then click the "Install Certificate" button to display the "Certificate Import Wizard".

You can browse these "Certificate Stores" with the Microsoft Management Console (mmc.exe) with the "Certificates" snap-in. You can also use a Saved Console like "certmgr.msc" for the Current User and "certlm.msc" for the Local Computer (Min. Windows 8 or 2012).

When creating a certificate with our application, the new certificate will be automatically stored in the "Current User/Personal" certificate store (or the "Local Computer/Personal" depending on the context selected).

Note: The "Personal" store is named "My" at system level (even for the "Local Computer").



16. More about Private Keys:

Private keys are not stored with the certificates, they are stored in files that have their own access rules.
When using certificate located in the "Local Computer" store, in some cases, you may have access to the certificate but not to the private key because it is protected by different security settings.

For the current user, you can check the accessibility of a certificate's private key with this application in the "[Private Key Status]" section, which you can see by displaying the certificate in text format using the "View Text" button on the "View/Tools" tab.

For example, if a Service is running under the "Network Service" user account and uses a certificate located in the "Local Computer" store, you will need to manually change the permissions of the private key to give the "Network Service" user the right to access the private key.

You can change the permissions for the private key using the Microsoft Saved Console "certlm.msc" (or the Microsoft Management Console "mmc.exe" with the "Certificates" snap-in for "Local Computer"):
In the "Local Computer\Personal" store, right-click the certificate and select "All Tasks" from the menu, then click "Manage Private Keys...". Then add the username and grant the necessary permissions.
Note: The function "Manage Private Keys..." is only available for the certificate store "Local Computer\Personal".

Another way to change permissions for the private key is to change the permissions of the file containing the key. You can find the name of the file containing the private key of a certificate in the "[Private Key]" section after the item "Unique Key Container Name" (use the "View Text" button in the "View/Tools" tab of this application).

Here is more information about the Private Key storage folders: Microsoft MSDN - Key Storage and Retrieval.





Index