Skip to main content

Many medium to large-scale companies deployed their own PKI Public Key Infrastructure system within their network to keep their infra secure. To keep their infra secure, companies will try deploying the certificates issued by the internal PKI on all the devices. Just deploying a digital certificate doesn’t work if the device is not signed with the root CA. It is mandatory to have the chain certificates (root CA and subordinate CA certificates) imported on all the machines to join the trusted internal network. Let’s look at the detailed procedure of how to import trusted root CA certificates from the internal certificate authority server.

The procedure showed here to import trusted root CA certificates will remain the same for the public certificates either. However, in the case of public certificates, the certificate provider will share the root CA certificate. But, what will you do with private PKI certificates? Two options will always be there, either you will get the root CA certificate from the internal PKI service team or you will have to download the root CA certificate yourselves from the internal PKI portal. To ease your process, we have covered the root CA certificate download process here before importing it into the trusted store on your machine.

Time needed: 5 minutes.

How to download and import trusted root CA certificates?

  1. Login to the internal PKI server portal to download the root CA certificate.Click on the ‘Download a CA certificates, certificate chain, or CRL’Internal PKI portal
  2. Download the root CA certificates.You will see three options.
    1. Download CA certificate: Click on this option to download the certificate of the CA server which you have been accessing. If you log in to a root CA portal, you can download the root CA certificate from here. If you have been accessing any intermediate or subordinate CA portal, you will download the respective intermediate or subordinate CA certificate.

    2. Download CA certificate chain: Thsi option will let you download the complete chain of certificates in p7b archive. This is the recommended option as it downloads all the subordinate and root CA certificates for you.

    3. Download latest base CRL: This will not download any certificates. However, it will download Certificate Revocation List of the CA server, which tells about the active, revoked, and expired certificates.Download root CA certificate
  3. Root CA certificatesHere you can see the downloaded certificates. If you notice the certificate type, you can see two types of certificates are downloaded.
    1. The First file is just a single certificate as a cer file. You will get this from the first option in step 2.
    2. Is a p7b archive file with all the root and intermediate CA certificates obtained from the second option in step 2.
    Download root CA certificate
  4. Importing root CA certificate:There are two ways to import root CA certificates to a windows machine:
    1. Certificate Import Wizard
    2. MMC console
  5. Method 1: Certificate Import WizardIn the first method, just right-click on the downloaded certificate. Select ‘Install Certificate’Install root CA certificate
  6. Certificate import wizardClick Next in the certificate import wizard
    Certificate import wizard
  7. Select certificate import store:Select the second option and browse the Trusted Root Certificate Authorities storeSelect the certificate store
  8. Completing import root CA certificate process
    Click Finish to complete the process.
    Import root CA certificate finish
  9. Method 2: MMC consoleHit Win + R to open the Run utility
    Type mmc in the box.
    Press Ok.
    Open mmc in Windows Server
  10. Add Certificate Snap-inGo to File > Add/Remove Snap-in..Add Certificate Snap-in
  11. Select Certificates and press AddCertificate Snap-in
  12. Select the User or Computer Certificate snap-inSelect the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
    Click Next.
    Select Computer account
  13. Select Local ComputerSelect local computer as you are going to create CSR on the same computer.
    Click Finish.Select Local Computer
  14. Select Certificate (Local Computer) and click OkSelect Local Computer snap-in
  15. Load MMCYou will see the certificate in the personal store.MMC Console
  16. Import the certificateRight click on the Trusted Root certificate Authority. Select All Task -> Import. Import root CA certificate from MMC
  17. Certificate import wizard from MMCClick Next.
    Certificate import wizard from MMC
  18. Browse the root CA certificateBrowse the root CA certificate
  19. Select the certificate store
    Select the second option and browse the Trusted Root Certificate Authorities store
    Select the certificate store
  20. Completing import root CA certificate processClick Finish to complete the process.
    Complete the import root CA certificate process

Leave a Reply