Create a self-signed, token-signing certificate

Applies To: Windows Server 2003 R2

You can use the following procedure to create a self-signed, code-signing certificate that also creates and installs a private key. To perform this procedure, use the Makecert.exe utility. Makecert.exe is available in the Microsoft .NET Framework 2.0 Software Development Kit (SDK) (x86) (https://go.microsoft.com/fwlink/?LinkId=79548).

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To create a self-signed, token-signing certificate

  1. Open a command prompt.

  2. Type the appropriate makecert syntax.

    • Example command:

    makecert -r -pe -n "CN=CertForADFS" -b 01/01/2006 -e 01/01/2007 -eku 1.3.6.1.5.5.7.3.3 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 "CertForADFS.cer"

Note

Track certificate expiration dates to make sure that certificates are replaced before they expire. You can do this using the Active Directory Federation Services snap-in for certificates of the current organization and also for partners that you configure in the trust policy.

See Also

Concepts

Rolling Over a Token-signing Certificate
Rolling Over a Client Authentication Certificate