Some time ago I posted this to remind me how to create my own X.509 certificates for use with WCF.  In those examples I was creating certificates that were each based on a "Root Agency" certificate, which is ok, but I wondered if I could have a little more control over the trust chain in my certificates.  I'm sure this is very old news to many, but again, I'm recording it here for when I next need it :-)

I can create my "root" certificate like so...

makecert -sr LocalMachine -ss My -n CN=subject-name -cy authority -r

The most interesting points for me here are the -cy authority and -r switches, which make my new certificate represent a certification authority, and make it "self-signed", respectively.  Self-signed means I don't get a "Root Agency" certificate hanging off it.  In order to create a new server authentication (for example) certificate, based on this "authority" certificate, I can do something like this...

makecert -sr LocalMachine -ss My -n CN=subject-name -ir LocalMachine -is My -in issuer-subject-name -eku 1.3.6.1.5.5.7.3.1

...where issuer-subject-name is the name of the "authority" certificate I created in the first example above.

Naturally, my new "root" certificate won't be inherently trusted by any client (even my own machine) so I still need to export that certificate and put it into any client's trusted root certification authorities store, just as I would if I use the "Root Agency" certificate.  The only thing I gain from this approach is the ability to name my root certificate, as far as I can tell.  Perhaps I'm a control freak, but I like that.