To further simplify
 the example, let us assume that the we want to use the certificate to encrypt
 a message from the client to the service. It is easy to apply what we discuss
 here to other scenarios.
 
As we discussed in
 the previous post, we need to generate two certificates, the root certificate
 that represents the Certificate Authority, and the certificate that represents
 the identity of the client or service. We will also create a Certificate Revocation
 List (CRL).
 
We will use a tool
 called makeCert to generate our certificates. Makecert, which ships with the
 .NET platform,  allows you to build an
 X509 certificate that can be used for development and testing. It does three
 things:
- Generates a public and private key 
- It associates the key pair
      with a name 
- It binds the name with the
      public key. 
 
Many of the
 published examples use makecert to both create and install the certificate. We
 will do the installation in a separate step because this approach is closer to
 the use of real certificates. 
 Separating the certificates also allows the certificates to be
 installed on many machines instead of just one. This makes distributing
 certificates to developer machines much easier. 
 
First we will
 create the Root Certificate with the following command:
 
makecert
 -sv RootCATest.pvk -r -n "CN=RootCATest" RootCATest.cer
 
-n specifies the
 name for the root certificate authority. The convention is to prefix the name
 with "CN=" where CN stands for "Common Name"
-r indicates that
 the certificate will be a root certificate because it is self-signed.
-sv specifies the
 file that contains the private key. The private key will be used for signing
 certificates issued by this certificate authority. Makecert will ask you for a
 password to protect the private key in the file.
 
The file
 RootCATest.cer will just have the public key. It is in the  Canonical Encoding Rules (CER) format. This
 is the file that will be installed on machines as the root of the trust chain.
 
Next we will create
 a certificate revocation list.
 
makecert -crl -n
 "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl
 
-crl indicates we
 are creating a revocation list
-n is the name of
 the root certificate authority
-r indicates that
 this is the CRL for the root certificate, it is self-signed
-sv indicates the
 file that contains the private key
 
RootCATest.crl is
 the name of the CRL file.
 
At this point we
 could install the root certificate, but we will wait until we finish with the
 certificate we will use in our scenario. 
 Here we need two files. We will need a CER file for the client machine
 so that we can install the public key associated with the service. Then we
 will create a PKCS12  format file that
 will be used to install the public and private key in the service.
 
The initial step is
 :
 
makecert -ic
 RootCATest.cer -iv RootCATest.pvk -n "CN=TempCert" -sv  TempCert.pvk -pe -sky exchange TempCert.cer
 
-n specifies the
 name for the certificate
-sv specifies the
 file for the certificate. This must be unique for each certificate created. If
 you try to reuse a name, you will get an error message .
-iv specifies the
 name of the container file for the private key of the root certificate created
 in the first step.
-ic specifies the
 name of the root certificate file created in the first step
-sky specifies what
 kind of key we are creating. Using the exchange option enables the certificate
 to be used for signing and encrypting the message.
-pe specifies that
 the private key is exportable and is included with the certificate. For
 message security is this required because you need the corresponding private
 key.  
 
The name of the CER
 file for the certificate is specified at the end of the command.
 
Now we need to
 create the PKCS12 file. We will use a the Software Publisher Certificate Test
 Tool to create a Software Publisher's Certificate. You use this format to
 create the PKCS12 file using the pvkimprt tool. 
 
cert2spc
 TempCert.cer TempCert.spc 
pvkimprt -pfx
 TempCert.spc TempCert.pvk
 
We now have four
 files:
 
RootCATest.cer
RootCATest.crl
TempCert.cer
TempCert.pvk
 
The next step is to
 install these on the appropriate machines. I could not get certmgr to work
 properly to do an automated install. 
 The Winhttpcertcfg tool works for PKCS12 format files, but not CER
 format files. We will use the MMC snap-in for this.
 
 
Run the mmc snapin
 tool (type mmc in the Run menu). First we will open the Certificates
 snap-in.  Choose: Add/Remove Snap-In.