diff --git a/server/shadow/shadow_server.c b/server/shadow/shadow_server.c
index 81deb655e..3b93f4f33 100644
--- a/server/shadow/shadow_server.c
+++ b/server/shadow/shadow_server.c
@@ -749,13 +749,45 @@ static int shadow_server_init_config_path(rdpShadowServer* server)
 	return 1;
 }
 
+static BOOL shadow_server_create_certificate(rdpShadowServer* server, const char* filepath)
+{
+	BOOL rc = FALSE;
+	char* makecert_argv[6] = { "makecert", "-rdp", "-live", "-silent", "-y", "5" };
+	const size_t makecert_argc = ARRAYSIZE(makecert_argv);
+
+	MAKECERT_CONTEXT* makecert = makecert_context_new();
+
+	if (!makecert)
+		goto out_fail;
+
+	if (makecert_context_process(makecert, makecert_argc, makecert_argv) < 0)
+		goto out_fail;
+
+	if (makecert_context_set_output_file_name(makecert, "shadow") != 1)
+		goto out_fail;
+
+	WINPR_ASSERT(server);
+	WINPR_ASSERT(filepath);
+	if (!winpr_PathFileExists(server->CertificateFile))
+	{
+		if (makecert_context_output_certificate_file(makecert, filepath) != 1)
+			goto out_fail;
+	}
+
+	if (!winpr_PathFileExists(server->PrivateKeyFile))
+	{
+		if (makecert_context_output_private_key_file(makecert, filepath) != 1)
+			goto out_fail;
+	}
+	rc = TRUE;
+out_fail:
+	makecert_context_free(makecert);
+	return rc;
+}
 static BOOL shadow_server_init_certificate(rdpShadowServer* server)
 {
 	char* filepath = NULL;
-	MAKECERT_CONTEXT* makecert = NULL;
 	BOOL ret = FALSE;
-	const char* makecert_argv[6] = { "makecert", "-rdp", "-live", "-silent", "-y", "5" };
-	const size_t makecert_argc = (sizeof(makecert_argv) / sizeof(char*));
 
 	WINPR_ASSERT(server);
 
@@ -786,28 +818,8 @@ static BOOL shadow_server_init_certificate(rdpShadowServer* server)
 	if ((!winpr_PathFileExists(server->CertificateFile)) ||
 	    (!winpr_PathFileExists(server->PrivateKeyFile)))
 	{
-		makecert = makecert_context_new();
-
-		if (!makecert)
+		if (!shadow_server_create_certificate(server, filepath))
 			goto out_fail;
-
-		if (makecert_context_process(makecert, makecert_argc, makecert_argv) < 0)
-			goto out_fail;
-
-		if (makecert_context_set_output_file_name(makecert, "shadow") != 1)
-			goto out_fail;
-
-		if (!winpr_PathFileExists(server->CertificateFile))
-		{
-			if (makecert_context_output_certificate_file(makecert, filepath) != 1)
-				goto out_fail;
-		}
-
-		if (!winpr_PathFileExists(server->PrivateKeyFile))
-		{
-			if (makecert_context_output_private_key_file(makecert, filepath) != 1)
-				goto out_fail;
-		}
 	}
 
 	rdpSettings* settings = server->settings;
@@ -827,7 +839,6 @@ static BOOL shadow_server_init_certificate(rdpShadowServer* server)
 
 	ret = TRUE;
 out_fail:
-	makecert_context_free(makecert);
 	free(filepath);
 	return ret;
 }
diff --git a/winpr/include/winpr/tools/makecert.h b/winpr/include/winpr/tools/makecert.h
index 3e3225147..2c04f3e50 100644
--- a/winpr/include/winpr/tools/makecert.h
+++ b/winpr/include/winpr/tools/makecert.h
@@ -31,9 +31,12 @@ extern "C"
 
 	WINPR_API int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv);
 
-	WINPR_API int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context, char* name);
-	WINPR_API int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, char* path);
-	WINPR_API int makecert_context_output_private_key_file(MAKECERT_CONTEXT* context, char* path);
+	WINPR_API int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context,
+	                                                    const char* name);
+	WINPR_API int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context,
+	                                                       const char* path);
+	WINPR_API int makecert_context_output_private_key_file(MAKECERT_CONTEXT* context,
+	                                                       const char* path);
 
 	WINPR_API MAKECERT_CONTEXT* makecert_context_new(void);
 	WINPR_API void makecert_context_free(MAKECERT_CONTEXT* context);
diff --git a/winpr/tools/makecert/makecert.c b/winpr/tools/makecert/makecert.c
index 68a409d32..1f5f6f6ff 100644
--- a/winpr/tools/makecert/makecert.c
+++ b/winpr/tools/makecert/makecert.c
@@ -419,7 +419,7 @@ static int makecert_context_parse_arguments(MAKECERT_CONTEXT* context,
 	return 1;
 }
 
-int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context, char* name)
+int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context, const char* name)
 {
 	if (!context)
 		return -1;
@@ -436,7 +436,7 @@ int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context, char* name)
 	return 1;
 }
 
-int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, char* path)
+int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, const char* path)
 {
 #ifdef WITH_OPENSSL
 	FILE* fp = NULL;
@@ -605,7 +605,7 @@ out_fail:
 #endif
 }
 
-int makecert_context_output_private_key_file(MAKECERT_CONTEXT* context, char* path)
+int makecert_context_output_private_key_file(MAKECERT_CONTEXT* context, const char* path)
 {
 #ifdef WITH_OPENSSL
 	FILE* fp = NULL;