- Create a signing authority certificate:
- makecert -n "CN=My Signing Authority" -r -sv MySigningCert.pvk MySigningCert.cer
- Merge the private key file and public key file into an encrypted key (this isn't mentioned in the MSDN article linked above, but you can find the documentation here):
- pvk2pfx /pvk MySigningCert.pvk /spc MySigningCert.cer /pfx MySigningCert.pfx /pi mycertpassword /po mycertpassword /f
- Start creating site certificates with your signing certificate:
- makecert -iv MySigningCert.pvk -n "CN=www.mywebsite.com" -ic MySigningCert.cer -sv sitekey.pvk sitekey.cer -pe
You'll be prompted for passwords for securing the private key. Ensure that you remember them, you'll need them to create the merged file.
This step isn't necessary for signing site certificates, but does make things more convenient for storing the certificate and installing it on different machines. Be careful: you should never leave keys laying around file systems on machines, they should always either: a) be stored in an encrypted store like that provided by Windows, or b) be stored on separate storage media that can be physically locked away with access only available to trusted personnel.
Now, as above, I recommend that you merge the .pvk and .cer into a .pfx for easy transport and storage.