Many medium to large-scale companies deployed their own PKI Public Key Infrastructure system within their network to keep their infra secure. To keep their infra secure, companies will try deploying the certificates issued by the internal PKI on all the devices. Just deploying a digital certificate doesn’t work if the device is not signed with the root CA. It is mandatory to have the chain certificates (root CA and subordinate CA certificates) imported on all the machines to join the trusted internal network. Let’s look at the detailed procedure of how to import trusted root CA certificates from the internal certificate authority server.
The procedure showed here to import trusted root CA certificates will remain the same for the public certificates either. However, in the case of public certificates, the certificate provider will share the root CA certificate. But, what will you do with private PKI certificates? Two options will always be there, either you will get the root CA certificate from the internal PKI service team or you will have to download the root CA certificate yourselves from the internal PKI portal. To ease your process, we have covered the root CA certificate download process here before importing it into the trusted store on your machine.
Time needed: 5 minutes.
How to download and import trusted root CA certificates?
- Login to the internal PKI server portal to download the root CA certificate.
Click on the ‘Download a CA certificates, certificate chain, or CRL’
- Download the root CA certificates.
You will see three options.
1. Download CA certificate: Click on this option to download the certificate of the CA server which you have been accessing. If you log in to a root CA portal, you can download the root CA certificate from here. If you have been accessing any intermediate or subordinate CA portal, you will download the respective intermediate or subordinate CA certificate.2. Download CA certificate chain: Thsi option will let you download the complete chain of certificates in p7b archive. This is the recommended option as it downloads all the subordinate and root CA certificates for you.
3. Download latest base CRL: This will not download any certificates. However, it will download Certificate Revocation List of the CA server, which tells about the active, revoked, and expired certificates.
- Root CA certificates
Here you can see the downloaded certificates. If you notice the certificate type, you can see two types of certificates are downloaded.
1. The First file is just a single certificate as a cer file. You will get this from the first option in step 2.
2. Is a p7b archive file with all the root and intermediate CA certificates obtained from the second option in step 2. - Importing root CA certificate:
There are two ways to import root CA certificates to a windows machine:
1. Certificate Import Wizard
2. MMC console - Method 1: Certificate Import Wizard
In the first method, just right-click on the downloaded certificate. Select ‘Install Certificate’
- Certificate import wizard
Click Next in the certificate import wizard
- Select certificate import store:
Select the second option and browse the Trusted Root Certificate Authorities store
- Completing import root CA certificate process
Click Finish to complete the process. - Method 2: MMC console
Hit Win + R to open the Run utility
Type mmc in the box.
Press Ok. - Add Certificate Snap-in
Go to File > Add/Remove Snap-in..
- Select Certificates and press Add
- Select the User or Computer Certificate snap-in
Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
Click Next. - Select Local Computer
Select local computer as you are going to create CSR on the same computer.
Click Finish. - Select Certificate (Local Computer) and click Ok
- Load MMC
You will see the certificate in the personal store.
- Import the certificate
Right click on the Trusted Root certificate Authority. Select All Task -> Import.
- Certificate import wizard from MMC
Click Next.
- Browse the root CA certificate
- Select the certificate store
Select the second option and browse the Trusted Root Certificate Authorities store - Completing import root CA certificate process
Click Finish to complete the process.
This is how you can downlead and import root CA certificate on the Windows machine from internal Certificate Authority Server.
Thanks for reading the post. We believe this post has helped in importing root CA certificate on windows machine.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/269988.html