In my last post I showed you how to create certificates for free using CAcert.org. Now let me show you how to install, export, import, and otherwise manage your certificates in Windows.
Step One — Install Certificate
After CAcert.org validated your email address, you can create your first certificate.
After it is created, you can install it into your browser.
It is also good to download the certificate as a file.
The client certificate created by CAcert.org will be available to you in two X.509 formats: the PEM file format that comes with the .crt file extension; and the DER file format with the .cer file extension.
The PEM (Privacy-enhanced Electronic Mail) format is a Base64-encoded ASCII file which contains these readable statements:
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----. Between the statements you will find a string of ASCII characters which encode the certificate itself. Other certificate authorities may create certificates in the PEM format using the .pem, .cer, or .key file extensions.
The DER (Distinguished Encoding Rules) format is completely binary meaning that the file is unreadable to humans. It usually comes with the .cer or .der file extension.
Certificates usually contain the following information:
- The subject’s public key value.
- The subject’s identifying information, i.e. name and e-mail address.
- The validity period, i.e. the length of time that the certificate is valid.
- The issuer’s identifying information.
- The digital signature of the issuer that validates the binding of the subject’s public key to the subject’s identifying information.
Step Two — Export Certificate
I prefer to use Mozilla Firefox, so my certificates get to be installed there first.
Click on the ≡ hamburger icon next to the address bar in Mozilla Firefox. In the drop-down menu click
Within the Options window click on the
Within the Advanced tab click on the
This will open up the Certificate Manager window. In the
Then click on the
You will need to give the certificate backup a file name and also a very strong password.
The password needs to be very strong because the file will contain the certificate’s private key which can be used, for example, to decrypt messages addressed to you.
Make sure to store this password at a safe place. If you don’t know how to do this, then read my post about the topic.
The backup action will export your certificate to a PKCS #12 (Personal Information Exchange) file with the .p12 or .pfx file extension. This file format supports secure storage of certificates, private keys, and all certificates in a certification path. It is the only file format that can be securely used to export a certificate with its private key included.
Step Three — Import Certificate
To import your certificate to Windows, go to
Alternatively, you can launch
This will bring up the Internet Properties window. Within it click on the
In the Certificates window, click on the
Use the wizard to browse to the location of your PKCS #12 backup file. To import the certificate you will need to enter its correct password and select where your certificate should be stored.
In case it is your personal certificate, select the
If you let Windows select the store automatically, it may happen that the certificate gets placed to the wrong store (e.g. Other People). You are then not allowed to delete the certificate from the Other People tab via Internet Options > Content > Certificates.
Only Mozilla Firefox uses its own certificate store and not the one maintained by Windows.
Step Four — Manage Certificates
To delete a certificate, you have to launch Command Prompt from
This will launch the Certificate Manager (also called the Microsoft Management Console Snap-in) where you can browse and fully manage all installed certificates.
Another way to launch the Certificate Manager is via
In the Certificate Manager browse to the certificate you wish to delete, right-click on its name and select
User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator.
Everyday Usage of Certificates
There are several basic everyday uses for certificates.
First of all, certificates supersede the need for passwords — they authenticate your identity to third parties (such as websites, companies, or government agencies).
In Windows, you can create a credential and use it to log into web services using your certificate.
To do this, go to
In this case I created a certificate-based credential for www.cacert.org.
Now when I visit this website, Windows Security asks me whether I would like to confirm the usage of the selected certificate to be used at www.cacert.org.
I get this pop-up with all browsers except for Mozilla Firefox. As I explained above, Mozilla Firefox does not use Windows’ certificate management system.
Furthermore, you can use certificates for digital signatures (i.e. signing documents or software code) or email and data encryption/decryption.
Liked this post?
Subscribe to our newsletter to receive early notification of new posts and deals: