Creating Enhanced SHA256 self-signed certificates
There are 2 options to create self-signed certificates very easily
using windows makecert
The following command can be run from the command prompt to create a self-signed certificate. Based on location of the makecert.exe on you machine, the path might differ. I am using a Windows 8.1
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\makecert.exe" -n "CN=Local" -r -pe -a sha256 -len 2048 -cy authority -e 03/03/2017 -sv Local.pvk Local.cer
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\pvk2pfx.exe" -pvk Local.pvk -spc Local.cer -pfx Local.pfx -po MyPassword -sy 24
using openSSL
you can use openSSL that comes with Apache Webserver to get the same thing done as follows
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=Local" -newkey rsa:2048 -keyout Local.key -out Local.crt
openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out Local.pfx
Difference Between Above two
One major and most important difference between the 2 above is makecert is not able to create the certificate file with CSP of 24 as provided as provided as parameter so while using this *pfx file to sign any XML as SHA256 will give exception like "Invalid Algorithm Specified" because the CSP value remains 1 instead of 24.
The one created by Open SSL will come out with correct CSP value and will give any errors.
Check Keys of Generated Certificate
You can write a small test program to test the Keys generated by the certificates in the above 2 methods.
class Program
{
static void Main(string[] args)
{
var x509Certificate = new X509Certificate2(@"Local.pfx",
"LocalSTS", X509KeyStorageFlags.Exportable);
Console.WriteLine(x509Certificate.ToString(true));
Console.ReadLine();
}
}