• Home
  • |
  • Blog
  • |
  • How To Download And Import Trusted Root CA Certificates From Internal Certificate Authority Server?
import trusted root ca certificates

Many medium to large-scale companies deployed their own PKI Public Key Infrastructure system within their network to keep their infra secure. To keep their infra secure, companies will try deploying the certificates issued by the internal PKI on all the devices. Just deploying a digital certificate doesn’t work if the device is not signed with the root CA. It is mandatory to have the chain certificates (root CA and subordinate CA certificates) imported on all the machines to join the trusted internal network. Let’s look at the detailed procedure of how to import trusted root CA certificates from the internal certificate authority server.

The procedure showed here to import trusted root CA certificates will remain the same for the public certificates either. However, in the case of public certificates, the certificate provider will share the root CA certificate. But, what will you do with private PKI certificates? Two options will always be there, either you will get the root CA certificate from the internal PKI service team or you will have to download the root CA certificate yourselves from the internal PKI portal. To ease your process, we have covered the root CA certificate download process here before importing it into the trusted store on your machine.

Time needed: 5 minutes.

How to download and import trusted root CA certificates?

  1. Login to the internal PKI server portal to download the root CA certificate.

    Click on the ‘Download a CA certificates, certificate chain, or CRL’Internal PKI portal

  2. Download the root CA certificates.

    You will see three options.
    1. Download CA certificate: Click on this option to download the certificate of the CA server which you have been accessing. If you log in to a root CA portal, you can download the root CA certificate from here. If you have been accessing any intermediate or subordinate CA portal, you will download the respective intermediate or subordinate CA certificate.

    2. Download CA certificate chain: Thsi option will let you download the complete chain of certificates in p7b archive. This is the recommended option as it downloads all the subordinate and root CA certificates for you.

    3. Download latest base CRL: This will not download any certificates. However, it will download Certificate Revocation List of the CA server, which tells about the active, revoked, and expired certificates.Download root CA certificate

  3. Root CA certificates

    Here you can see the downloaded certificates. If you notice the certificate type, you can see two types of certificates are downloaded.
    1. The First file is just a single certificate as a cer file. You will get this from the first option in step 2.
    2. Is a p7b archive file with all the root and intermediate CA certificates obtained from the second option in step 2.
    Download root CA certificate

  4. Importing root CA certificate:

    There are two ways to import root CA certificates to a windows machine:
    1. Certificate Import Wizard
    2. MMC console

  5. Method 1: Certificate Import Wizard

    In the first method, just right-click on the downloaded certificate. Select ‘Install Certificate’Install root CA certificate

  6. Certificate import wizard

    Click Next in the certificate import wizard
    Certificate import wizard

  7. Select certificate import store:

    Select the second option and browse the Trusted Root Certificate Authorities storeSelect the certificate store

  8. Completing import root CA certificate process
    Click Finish to complete the process.

    Import root CA certificate finish

  9. Method 2: MMC console

    Hit Win + R to open the Run utility
    Type mmc in the box.
    Press Ok.
    Open mmc in Windows Server

  10. Add Certificate Snap-in

    Go to File > Add/Remove Snap-in..Add Certificate Snap-in

  11. Select Certificates and press Add

    Certificate Snap-in

  12. Select the User or Computer Certificate snap-in

    Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
    Click Next.
    Select Computer account

  13. Select Local Computer

    Select local computer as you are going to create CSR on the same computer.
    Click Finish.Select Local Computer

  14. Select Certificate (Local Computer) and click Ok

    Select Local Computer snap-in

  15. Load MMC

    You will see the certificate in the personal store.MMC Console

  16. Import the certificate

    Right click on the Trusted Root certificate Authority. Select All Task -> Import. Import root CA certificate from MMC

  17. Certificate import wizard from MMC

    Click Next.
    Certificate import wizard from MMC

  18. Browse the root CA certificate

    Browse the root CA certificate

  19. Select the certificate store
    Select the second option and browse the Trusted Root Certificate Authorities store

    Select the certificate store

  20. Completing import root CA certificate process

    Click Finish to complete the process.
    Complete the import root CA certificate process

See Also  How to Fix CVE-2023-33009 and CVE-2023-33010- Critical Buffer Overflow Vulnerabilities in Zyxel Products?

This is how you can downlead and import root CA certificate on the Windows machine from internal Certificate Authority Server.

Thanks for reading the post. We believe this post has helped in importing root CA certificate on windows machine.

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.