How To Download And Import Trusted Root CA Certificates From Internal Certificate Authority Server?

Many medium to large-scale companies deployed their own PKI Public Key Infrastructure system within their network to keep their infra secure. To keep their infra secure, companies will try deploying the certificates issued by the internal PKI on all the devices. Just deploying a digital certificate doesn’t work if the device is not signed with the root CA. It is mandatory to have the chain certificates (root CA and subordinate CA certificates) imported on all the machines to join the trusted internal network. Let’s look at the detailed procedure of how to import trusted root CA certificates from the internal certificate authority server.

The procedure showed here to import trusted root CA certificates will remain the same for the public certificates either. However, in the case of public certificates, the certificate provider will share the root CA certificate. But, what will you do with private PKI certificates? Two options will always be there, either you will get the root CA certificate from the internal PKI service team or you will have to download the root CA certificate yourselves from the internal PKI portal. To ease your process, we have covered the root CA certificate download process here before importing it into the trusted store on your machine.

How to download and import trusted root CA certificates?

Step 1: Log in to the internal PKI server portal to download the root CA certificate.

Step 2: Download the root CA certificates.

You will see three options.1. Download CA certificate: Click on this option to download the certificate of the CA server that you have been accessing. If you log in to a root CA portal, you can download the root CA certificate from here. If you have been accessing any intermediate or subordinate CA portal, you will download the respective intermediate or subordinate CA certificate.
2. Download the CA certificate chain: This option will let you download the complete chain of certificates in the p7b archive. This is the recommended option as it downloads all the subordinate and root CA certificates for you.
3. Download the latest base CRL: This will not download any certificates. However, it will download the Certificate Revocation List of the CA server, which tells about the active, revoked, and expired certificates.

Step 3: Root CA certificates

Here you can see the downloaded certificates. If you notice the certificate type, you can see two types of certificates are downloaded.1. The First file is just a single certificate as a cer file. You will get this from the first option in step 2.2. Is a p7b archive file with all the root and intermediate CA certificates obtained from the second option in step 2.

Step 4: Importing root CA certificate:

There are two ways to import root CA certificates to a Windows machine:1. Certificate Import Wizard2. MMC console

Step 5: Method 1: Certificate Import Wizard

In the first method, just right-click on the downloaded certificate. Select ‘Install Certificate’

Click Next in the certificate import wizard

2. Select certificate import store:

Select the second option and browse the Trusted Root Certificate Authorities store

3. Completing import root CA certificate process
Click Finish to complete the process.

Step 6: Method 2: MMC console

Hit Win + R to open the Run utilityType mmc in the box.Press Ok.

Go to File > Add/Remove Snap-in..

2. Select Certificates and press Add

3. Select the User or Computer Certificate snap-in

Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.Click Next.

4. Select Local Computer

Select the local computer as you are going to create CSR on the same computer.Click Finish.

5. Select Certificate (Local Computer) and click Ok

6. Load MMC

You will see the certificate in the personal store.

7. Import the certificate

Right-click on the Trusted Root Certificate Authority. Select All Task -> Import.

8. Certificate import wizard from MMC

Click Next.

9. Browse the root CA certificate

10. Select the certificate store
Select the second option and browse the Trusted Root Certificate Authorities store

11. Completing import root CA certificate process

Click Finish to complete the process.

This is how you can download and import the root CA certificate on the Windows machine from the internal Certificate Authority Server.

Thanks for reading the post. We believe this post has helped in importing root CA certificates on Windows machines.

You may also like these articles: