Use MakeCert to Generate Your Certificate

MakeCert is a certificate generation tool available from Microsoft that can be used to generate certificates for testing purposes.

The following makecert command line can be used to generate a certificate suitable for signing Privilege Management for Windows configuration:
makecert -r -pe -n "CN=BeyondTrust Signed XML Configuration" -sky signature -eku 1.2.826.0.1.6538381.1.1.1 -ss my

The parameters can be changed as required. The example above generates a self-signed certificate with an exportable private key, and adds it to the calling user’s local certificate store. The certificate must then be exported to a PFX file along with the private key in the usual way.

The important parameter in the example is the addition of the Privilege Management for Windows Configuration Signing OID to the Enhanced Key Usage extension (-eku 1.2.826.0.1.6538381.1.1.1)

If a self-signed certificate is used to sign the Privilege Management for Windows settings, the certificate must be distributed to all clients for a chain of trust to be established and for signature verification to be successful.

Use Certificate Template in a Certificate Request

The certsrv interface

Once the certificate template is issued, the template can be used during advanced certificate requests via the certsrv web interface.


Once the certificate is issued, it must be installed by the user before it can be exported to a PFX file in the usual way.

The private key must be exported to the PFX file as well.