When you want to secure a service or use a secure one, you will need to manage certificates.
Depending on the case, you may need to export and/or import a certificate with its associated private key or not.
To start, whether you are on a computer (client workstation) or a server, the procedure is identical.
Open the start menu and type : mmc.
Then, in the "mmc" console that appears, click : Add/Remove Snap-in.
Add the component : Certificates.
Choose "Computer account" if you want to manage your computer or server's certificates or "My user account" to manage those of the user.
Note : this choice only appears if you have "administrator" rights on the computer or server where you are.
Shortcuts : rather than launching an "mmc" console and adding the certificate component for the local computer or current user, you can launch the file directly :
If you selected "Computer account", leave the "Local computer..." option selected and press Finish.
Click OK to confirm the addition of this "Certificates" component in the "mmc" console.
If you select the "Certificates ..." component that appears, you will see that several certificate stores exist by default on your computer or server :
As explained before, in the "Personal" certificate store, you will find the certificates of the current computer, server or user.
Generally, the private keys associated with these certificates will also be present. Which you can easily see from the certificate icon as a key is also displayed if the associated private key is present for it.
Note that in the case of a secure website hosted on an IIS web server, the desired certificate may be in the "Web Hosting" certificate store.
As explained previously, in the "Trusted Root Certification Authorities" certificate store, you will find the certificates of the root certification authorities that your computer or server trusts by default, as well as that of your certification authority if applicable.
Note that if you have an enterprise certificate authority and this computer or server is linked to the same Active Directory domain as it, its certificate will be automatically imported in this certificate store.
In our case, it's our "InformatiWeb CA" certification authority.
When you have certificates in the "Personal" certificate store, the private keys associated with them are often also present.
If you try to export one of your personal certificates, you will therefore have the option of exporting only the certificate or the certificate and its private key.
Warning : as its name suggests, the private key must remain secret. So, don't share it with anyone.
To export a personal certificate with its private key, right-click on the desired certificate and click on : All Tasks -> Export.
The Certificate Export wizard appears.
Choose : Yes, export the private key.
When you export the certificate, along with its associated private key, the format used will be : Personal Information Exchange - PKCS #12 (.PFX).
In this case, the export options available are :
In most cases, only the 1st option (Include all certificates in the certification path ...) is useful.
Given that you are exporting a certificate with its associated private key, it's important to protect the private key which will also be in the ".pfx" file which will be generated.
To do this, you can specify a password which must be specified again when you re-import the exported ".pfx" file.
If you wish, you can also check the "Group and user names (recommended)" option.
This option will allow you to import this certificate later without needing to specify the password protecting the private key if you are connected with a user authorized here.
Otherwise, the wizard will ask you to specify the password protecting the private key.
Hence the interest of always specifying a password here, even if you want to use the 1st option (Group and user names ...).
Choose where and under what name you want to export your certificate in ".pfx" format, then click on : Save.
The path to the certificate that will be exported appears.
Click on : Finish.
The "The export was successful" message appears.
The certificate in ".pfx" format appears and is recognized under the "Personal Information Exchange" type in Windows.
If you want to open this ".pfx" certificate without importing it, you will have to right click "Open" on it instead of a double click.
In the "Certificates" folder, you will find :
If you double click on the exported certificate in the window above, you will see that you have a private key that corresponds to this certificate.
In order for someone or something to decrypt the data you send them and also verify that it was you who sent it, they must know your public key.
On the other hand, you must never communicate your associated private key to it.
To do this, right-click "All Tasks -> Export" on the desired certificate.
Select "No, do not export the private key".
Note : if you are exporting a certificate for which you don't have the associated private key (which is particularly the case if you are trying to export a certificate present in the "Trusted Root Certification Authorities" certificate store), this step will not appear.
Since only the certificate will be exported and NOT its private key, the proposed format will be ".cer".
When you export a certificate without its private key, you have 3 options :
Click "Browse" to choose where you want to store the ".cer" or ".p7b" certificate that will be exported and under what name.
Then, click Next.
Click "Finish" to confirm the export of this certificate.
The "The export was successful" message.
As expected, if you open the exported ".cer" certificate (by double-clicking on it), you will see that no message indicates that a private key is present.
Which proves that it was not exported.
If you exported the certificate in ".p7b" format, you will see that this file contains :
Note that if you exported the certificate in "Base-64 encoded X.509 (*.cer)" format (Linux format), you will be able to open it with Notepad and you will see that its contents look like this :
-----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxx... -----END CERTIFICATE-----
This is useful when the application to be protected asks you to paste the certificate as simple text rather than sending a file.
On the other hand, if you exported it in "DER encoded binary X.509 (.CER)" format (Microsoft format), you will not be able to display it as text.
Note that the "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" format is also not readable as text and the preview will look similar to what is shown below.
Windows Server 11/3/2023
Windows Server 11/10/2023
Windows Server 12/2/2023
Windows Server 10/20/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.