.\"
.\" makecert manual page.
.\" Copyright 2003 Motus Technologies
+.\" Copyright 2004-2005, 2011 Novell
.\" Author:
-.\" Sebastien Pouliot (spouliot@motus.com)
+.\" Sebastien Pouliot (sebastien@ximian.com)
.\"
.TH Mono "MakeCert"
.SH NAME
MakeCert \- Create X.509 certificates for test purposes
.SH SYNOPSIS
.PP
-.B MakeCert [options] certificate
+.B makecert [options] certificate
.SH DESCRIPTION
Create an X.509 certificate using the provided informations. This
is useful for testing Authenticode signatures, SSL and S/MIME
.SH PARAMETERS
.TP
.I "-# num"
-Certificate serial number
+Specify the certificate serial number.
.TP
.I "-n dn"
-Subject Distinguished Name
+Specify the subject Distinguished Name (DN).
.TP
.I "-in dn"
-Issuert Distinguished Name
+Specify the issuer Distinguished Name (DN).
.TP
.I "-r"
-Create a self-signed (root) certificate
-.TP
-.I "-sv pkvfile"
-Private key file (.PVK) for the subject (created if missing)
+Create a self-signed, also called root, certificate.
.TP
.I "-iv pvkfile"
-Private key file (.PVK) for the issuer
+Specify the private key file (.PVK) for the issuer. The private key in the
+specified file will be used to sign the new certificate.
.TP
.I "-ic certfile"
-Extract the issuer's name from the specified certificate
+Extract the issuer's name from the specified certificate file - i.e. the
+subject name of the specified certificate becomes the issuer name of the
+new certificate.
.TP
-.I "-?"
-Help (display this help message)
+.I "-in name"
+Use the issuer's name from the specified parameter.
.TP
-.I "-!"
-Extended help (for advanced options)
+.I "-ik container"
+Specify the key container name to be used for the issuer.
+.TP
+.I "-iky [signature | exchange | #]"
+Specify the key number to be used in the provider (when used with -ik).
+.TP
+.I "-ip provider"
+Specify the cryptographic provider to be used for the issuer.
+.TP
+.I "-ir [localmachine | currentuser]"
+Specify the provider will search the user or the machine keys containers for
+the issuer.
+.TP
+.I "-iy number"
+Specify the provider type to be used for the issuer.
+.TP
+.I "-sv pkvfile"
+Specify the private key file (.PVK) for the subject. The public part of the
+key will be inserted into the created certificate. If non-existant the
+specified file will be created with a new key pair (default to 1024 bits RSA
+key pair).
+.TP
+.I "-sk container"
+Specify the key container name to be used for the subject.
+.TP
+.I "-sky [signature | exchange | #]"
+Specify the key number to be used in the provider (when used with -sk).
+.TP
+.I "-sp provider"
+Specify the cryptographic provider to be used for the subject.
+.TP
+.I "-sr [localmachine | currentuser]"
+Specify the provider will search the user or the machine keys containers for
+the subject.
+.TP
+.I "-sy number"
+Specify the provider type to be used for the issuer.
.TP
.I "-a hash"
-Select hash algorithm. Only MD5 and SHA1 are supported.
+Select hash algorithm. Only MD5 and SHA1 algorithms are supported.
.TP
.I "-b date"
The date since when the certificate is valid (notBefore).
.TP
-.I "-cy [authority|end]"
-Basic constraints. Select Authority or End-Entity certificate.
-.TP
.I "-e date"
The date until when the certificate is valid (notAfter).
.TP
-.I "-eku oid[,oid]"
-Add some extended key usage OID to the certificate.
+.I "-m number"
+Specify the certificate validity period in months. This is added to the
+notBefore validity date which can be set with -b or will default to the
+current date/time.
+.TP
+.I "-cy [authority|end]"
+Basic constraints. Select Authority or End-Entity certificate. Only Authority
+certificates can be used to sign other certificates (-ic). End-Entity can
+be used by clients (e.g. Authenticode, S/MIME) or servers (e.g. SSL).
.TP
.I "-h number"
-Add a path length restriction to the certificate chain.
+Add a path length restriction to the certificate chain. This is only
+applicable for certificates that have BasicConstraint set to Authority (-cy
+authority). This is used to limit the chain of certificates than can be
+issued under this authority.
.TP
-.I "-ic cert"
-Take the issuer's name from the specified certificate.
+.I "-alt filename"
+Add a subjectAltName extension to the certificate. Each line from 'filename'
+will be added as a DNS entry of the extension. This option is useful if you
+want to create a single SSL certificate to work on several hosts that do not
+share a common domain name (i.e. CN=*.domain.com would not work).
.TP
-.I "-in name"
-Take the issuer's name from the specified parameter.
+.I "-eku oid[,oid]"
+Add some extended key usage OID to the certificate.
.TP
-.I "-iv pvkfile"
-Sign the certificate using the private key inside the PVK file.
+.I "-p12 pkcs12file password"
+Create a new PKCS#12 file containing both the certificates (the subject and
+possibly the issuer's) and the private key. The PKCS#12 file is protected
+with the specified password. This option is
+.B mono exclusive.
.TP
-.I "-m number"
-Certificate validity period (in months).
+.I "-?"
+Help (display this help message)
.TP
-.I "-sv pvkfile"
-Create a new PVK file if non-existant, otherwise use the PVK file as the subject public key.
+.I "-!"
+Extended help (for advanced options)
+.SH EXAMPLES
+.PP
+To create a SSL test (i.e. non trusted) certificate is easy
+once your know your host's name. The following command will create a
+test certificate for an SSL server:
+.nf
+ $ hostname
+ pollux
+
+ $ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
+ Success
+.fi
+.PP
+In particular in the above example, the parameters used to build this
+test certificate were:
+.TP
+.I "-r"
+Create a self-signed certificate (i.e. without an hierarchy).
+.TP
+.I "-eku 1.3.6.1.5.5.7.3.1"
+Optional (as sadly most client don't require it). This indicates that
+your certificate is intended for server-side authentication.
+.TP
+.I "-n \"CN=pollux\""
+Common Name (CN) = Host name. This is verified the SSL client and must
+match the connected host (or else you'll get a warning or error or
+*gasp* nothing).
+.TP
+.I "-sv private.key"
+The private key file. The key (1024 bits RSA key pair) will be
+automatically generated if the specified file isn't present.
+.TP
+.I "pollux.cer"
+The SSL certificate to be created for your host.
+.SH KNOWN RESTRICTIONS
+Compared to the Windows version some options aren't supported (-$, -d, -l,
+-nscp, -is, -sc, -ss). Also PVK files with passwords aren't supported.
.SH AUTHOR
Written by Sebastien Pouliot
.SH COPYRIGHT
Copyright (C) 2003 Motus Technologies.
+Copyright (C) 2004-2005 Novell.
Released under BSD license.
.SH MAILING LISTS
-Visit http://mail.ximian.com/mailman/mono-list for details.
+Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for details.
.SH WEB SITE
-Visit: http://www.go-mono.com for details
+Visit http://www.mono-project.com for details
.SH SEE ALSO
.BR signcode(1)