Make a self-signed certificate

I recently received a couple of questions on how to make a self-signed certificate for server authentication. I have been using self-signed certificates for some time now, mainly in test environments. You can use self-signed certificates to easily test SSL signing for a web server or for securing Remote Desktop Connection for which I’ve been using them a lot lately.

Now, I would advise against using self-signed certificates in a production environment because of the security implications it might have since you never know who really signed the certificate and that makes a certificate much less trustworthy. However, their might be some situations in which you might consider using self-signed certificates.

So, here’s how I make a self-signed certificate.

Download and install makecert.exe
You will need makecert.exe which is included in the Windows SDK for Windows Server 2008 and .NET Framework 3.5. When you run the installer the necessary components will be downloaded based on the choices you make during the installation process. To prevent downloading the total SDK suite (which can be over 1GB) de-select all options and only select the Win32 Developer Tools for installation.

Create the certificate
Use the command below to create the certificate.

makecert.exe -r -n “CN=server.domain.com” -m 120 –sky exchange -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -pe -a sha1

The options explained:

Option Description
-r Creates a self-signed certificate.
-n x509name Name of the server. Uses the X.500 standard. Best to use the host name between double quotes preceded by CN=, for example “CN=server”.
-m number Number of months the certificate is valid. In this example 120 months=10 years.
-sky keytype Certificate type, which can only be signature or exchange.
-eku oid[,oid] Extended Key Usage. Sets the purposes for which the certificate can be used. See IOS Reference later on.
-ss store Where to store the certificate. Can be my for the personal store or Root for the trusted root store.
-sr location Physical location of the store, which can be currentuser or localmachine.
-pe Marks the private key as exportable.
-a algorithm Defines the encryption algorithm, md5 (default) or sha1.

OID Reference
Following Object Identifiers can be used when making a certificate:

  • Encrypting File System (1.3.6.1.4.1.311.10.3.4)
  • Code Signing (1.3.6.1.5.5.7.3.3)
  • Secure Email (1.3.6.1.5.5.7.3.4)
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
  • Client Authentication (1.3.6.1.5.5.7.3.2)
  • Server Authentication (1.3.6.1.5.5.7.3.1)
  • IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

Changing VirtualCenter log locations

VMware VirtualCenter stores the logs in C:\Documents and Settings\All users\Application Data\VMware\VMware VirtualCenter\Logs by default. This wil work most of the time, but I personaly like to put logs on a separate disk to prevent logfiles from growing endlessly and filling up diskspace on the system disk. Fortunately there is a way to relocate the log location for VirtualCenter. Just follow the steps below.

To change the VirtualCenter log location:

  1. Log in to the VirtualCenter machine with an Administrator account.
  2. Open the following file with a text editor:
    %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\vpxd.cfg>
  3. Add the <directory> and </directory> tags to the file to specify the directory path for the logs, similar to:
    <log><directory>D:\Logs</directory></log>
  4. Restart the VirtualCenter Server service.

Update 11-03-2010: Remember to delete any HTML comment lines that may be present. On a new installation of vCenter Server 4 update 1 the <log> </log> section was enclosed in a HTML block comment like those: <!-- -->