I disagree with the article about performance issues when using certificates created by Makecert.exe .
If revocation information is not included in the generated certificate, then performance loss may be due to revocation. Probably the only thing that is suitable for using a self-signed certificate is the following: you should include the self-signing certificate in the certificate store Root(trusted root certificate authorities) or better in the certificate store AuthRoot(the third is the Party Root Certificate Authority) on all computers that will use it . After that, the self-signing certificate will not cost as the VeriSign root certificate in most scenarios. The reason for this method is possible only within one company and can be difficult to use in enterprise scenarios with a large number of independent client computers.
, PKI Makecert.exe. , -CA:
MakeCert.exe -pe -ss MY -a sha1 -cy authority -len 4096 -e 12/31/2020 -r
-n "CN=My Company Root Authority,O=My Company,C=DE" MyCompany.cer
MakeCert.exe -pe -ss MY -a sha1 -len 2048 -e 12/31/2020 -eku 1.3.6.1.5.5.7.3.2
-n "CN=My Name,O=My Company" -sky exchange
-is MY -in "My Company Root Authority"
OID eku, , .
- AuthRoot ( ), , , CertMgr.exe
CertMgr.exe -add -c MyCompany.cer -s -r localMachine AuthRoot
, .
. .