Managing Certificates in Windows

fox-mascot

In my last post I showed you how to create certificates for free using CAcert.org. Now let me show you how to install, export, import, and otherwise manage your certificates in Windows.

Step One — Install Certificate

After CAcert.org validated your email address, you can create your first certificate.

cacert-install-certificate

CAcert — Install your certificate

After it is created, you can install it into your browser.

It is also good to download the certificate as a file.

The client certificate created by CAcert.org will be available to you in two X.509 formats: the PEM file format that comes with the .crt file extension; and the DER file format with the .cer file extension.

The PEM (Privacy-enhanced Electronic Mail) format is a Base64-encoded ASCII file which contains these readable statements: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Between the statements you will find a string of ASCII characters which encode the certificate itself. Other certificate authorities may create certificates in the PEM format using the .pem, .cer, or .key file extensions.

The DER (Distinguished Encoding Rules) format is completely binary meaning that the file is unreadable to humans. It usually comes with the .cer or .der file extension.

Certificates usually contain the following information:

  • The subject’s public key value.
  • The subject’s identifying information, i.e. name and e-mail address.
  • The validity period, i.e. the length of time that the certificate is valid.
  • The issuer’s identifying information.
  • The digital signature of the issuer that validates the binding of the subject’s public key to the subject’s identifying information.

Step Two — Export Certificate

I prefer to use Mozilla Firefox, so my certificates get to be installed there first.

Click on the ≡ hamburger icon next to the address bar in Mozilla Firefox. In the drop-down menu click Options.

Within the Options window click on the Advanced tab.

firefox-certificate-manager

Certificate Manager

Within the Advanced tab click on the Certificates tab. And then on the View Certificates button.

This will open up the Certificate Manager window. In the Your Certificates tab of this window, select the personal certificate you would like to backup.

Then click on the Backup… button.

firefox-certificate-backup-password

Choose a Certificate Backup Password

You will need to give the certificate backup a file name and also a very strong password.

The password needs to be very strong because the file will contain the certificate’s private key which can be used, for example, to decrypt messages addressed to you.

Make sure to store this password at a safe place. If you don’t know how to do this, then read my post about the topic.

The backup action will export your certificate to a PKCS #12 (Personal Information Exchange) file with the .p12 or .pfx file extension. This file format supports secure storage of certificates, private keys, and all certificates in a certification path. It is the only file format that can be securely used to export a certificate with its private key included.

Step Three — Import Certificate

To import your certificate to Windows, go to Control Panel > Network and Internet and click on Internet Options.

Alternatively, you can launch Internet Explorer, then use the Alt+X keyboard shortcut and press o or click Internet Options in the drop-down menu.

This will bring up the Internet Properties window. Within it click on the Content tab and then on the Certificates button in the Certificates section of the tab.

In the Certificates window, click on the Import… button to bring up the Certificate Import Wizard.

internet-options-import-certificate

Certificate Import Wizard — Open Personal Information Exchange file

Use the wizard to browse to the location of your PKCS #12 backup file. To import the certificate you will need to enter its correct password and select where your certificate should be stored.

In case it is your personal certificate, select the Personal certificate store.

If you let Windows select the store automatically, it may happen that the certificate gets placed to the wrong store (e.g. Other People). You are then not allowed to delete the certificate from the Other People tab via Internet Options > Content > Certificates.

Note

Internet Explorer, Google Chrome, Opera, and Safari all rely on Internet Option’s list of certificates. So they will all display the same results.
 
Only Mozilla Firefox uses its own certificate store and not the one maintained by Windows.

Step Four — Manage Certificates

To delete a certificate, you have to launch Command Prompt from Start > All Programs > Accessories. In the Command Prompt window, type and enter the following command:

This will launch the Certificate Manager (also called the Microsoft Management Console Snap-in) where you can browse and fully manage all installed certificates.

Another way to launch the Certificate Manager is via Control Panel > User Accounts and Family Safety > Credential Manager > Add a Certificate-Based Credential > Open the Certificate Manager.

In the Certificate Manager browse to the certificate you wish to delete, right-click on its name and select Delete from the drop-down menu.

delete-certificate

certmgr — Permanently delete certificate

User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator.

Everyday Usage of Certificates

There are several basic everyday uses for certificates.

First of all, certificates supersede the need for passwords — they authenticate your identity to third parties (such as websites, companies, or government agencies).

In Windows, you can create a credential and use it to log into web services using your certificate.

To do this, go to Control Panel > User Accounts and Family Safety > Credential Manager. Click Add a certificate-based credential and then enter the address of the web service and select the correct certificate from the drop-down menu.

windows-vault

Windows Vault

In this case I created a certificate-based credential for www.cacert.org.

windows-security

Windows Security — Confirm Certificate

Now when I visit this website, Windows Security asks me whether I would like to confirm the usage of the selected certificate to be used at www.cacert.org.

I get this pop-up with all browsers except for Mozilla Firefox. As I explained above, Mozilla Firefox does not use Windows’ certificate management system.

Furthermore, you can use certificates for digital signatures (i.e. signing documents or software code) or email and data encryption/decryption.

Liked this post?

Subscribe to our newsletter to receive early notification of new posts and deals:

Next Post »« Previous Post

Leave a Reply

Your email address will not be published. Required fields are marked *