GAksland
asked on
Install CA root certificates to Trusted Root Certification Authorities store
Using Xp Pro Sp3 with all updates. Want to copy my CA Root certificates to another computer. This is so I can access encrypted data saved on a USB drive. When I open the dialogue box I have 3. When I view the the Certs, I receive the error message “This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.” I have read many solutions on the site and none work for this problem. How do I “install” this cert in the Trusted Root Certification Authorities store?
Open Certificates MMC (local computer) - expand Personal - right-click Certificates - All tasks - Import - browse to the root cert file and finish up the wizard.
Ack - sorry.. I just posted the wrong cert store... almost time to go home...
For a root cert follow same instructions except instead of Personal - Certificates, do the same under Trusted Root Certification Authorities - Certificates.
If you have a subordinate CA then you might also try importing that, only do that under the Intermediate Certification Authorities section.
For a root cert follow same instructions except instead of Personal - Certificates, do the same under Trusted Root Certification Authorities - Certificates.
If you have a subordinate CA then you might also try importing that, only do that under the Intermediate Certification Authorities section.
ASKER
acurrey: The names of the three certs are simply my name Gary with 3 different dates. I have searched for files with *.cer extension on my disk in the date range the certs were originated. I have looked through property trying to determine what the file name actually is, but have not been successful. Having not worked with certificates before I am not able to locate the 3 files in question because I'm not sure what they are named, or where they should be on my disk.
Thanks for your help
Thanks for your help
certutil -viewstore root
This will open a box that will contain all the root certificates you have installed under the machine context, but not the default ones you get from the MS root program.
If you don't find it there, you could try a few other things like:
certutil -user -viewstore root
certutil -enterprise -viewstore root
certutil -viewstore my
certutil -user -viewstore my
certutil -viewstore ca
If you had exported it before, you might also try searching for .crt if .cer did not pan out. If you had included the private key then it would be .pfx. If you had included the root certificate chain the .p7b.
This will open a box that will contain all the root certificates you have installed under the machine context, but not the default ones you get from the MS root program.
If you don't find it there, you could try a few other things like:
certutil -user -viewstore root
certutil -enterprise -viewstore root
certutil -viewstore my
certutil -user -viewstore my
certutil -viewstore ca
If you had exported it before, you might also try searching for .crt if .cer did not pan out. If you had included the private key then it would be .pfx. If you had included the root certificate chain the .p7b.
ASKER
I have no certutil on this machine. It is Xp Sp3 with all updates, a Dell Professional Work Station M65 is certutil a program associated with a newer version of windows?
you can do that from a win2003 or newer server, or from vista or newer. You can also install the win2003 sp1 adminpak and get certutil on your workstation.
ASKER
Thank you I will try this (have been gone for a few days) to see if it works.
ASKER
I have been reading about installing the win2003 sp1 in XP pro. There are quite a few 'gotchas'. Is there any other way to do this? The directions say I must uninstall all previous versions of the Administration Tools Pack before installing this version. If there is anyother way to write these certificates out, I would rather not take the chance of causing problems with my XP system which runs great now.
certutil.exe is available in vista and win7. You may be able to copy and use in yours.
Use info here http://www.greatis.com/vista/Utilities/c/certutil.exe.htm
If you're using the certificates now, they're most likely under the Intermediate Certification Authority tab
at Internet Options/Conten/Certificate
Export and install in the Trusted Authority.
Use info here http://www.greatis.com/vista/Utilities/c/certutil.exe.htm
If you're using the certificates now, they're most likely under the Intermediate Certification Authority tab
at Internet Options/Conten/Certificate
Export and install in the Trusted Authority.
ASKER
This is what I find on Microsoft's help .... there is only a specific version from 2003 Administration pack, and there are numerous "gotchas" associated with installing that. My computer is stable and runs great, I would prefer another approach if possible ......... The following from MS website
The only version of Certutil.exe that Windows XP supports is available in the Microsoft Windows Server 2003 Administration Pack. To download the Windows Server 2003 Administration Pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en)
If you have update 907247 installed on Windows XP SP2, the version of Certutil.exe that supports the -pulse command is available in the SP1 version of the Windows Server 2003 Administration Pack. To download it, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-25793a25bad7&DisplayLang=en
The only version of Certutil.exe that Windows XP supports is available in the Microsoft Windows Server 2003 Administration Pack. To download the Windows Server 2003 Administration Pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en)
If you have update 907247 installed on Windows XP SP2, the version of Certutil.exe that supports the -pulse command is available in the SP1 version of the Windows Server 2003 Administration Pack. To download it, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-25793a25bad7&DisplayLang=en
Let me back up a bit.
Can you export the certificate as file?
Can you export the certificate as file?
You can also open the Certificates MMC under both current user and local computer and check that way by viewing each of the stores looking for your cert.
ASKER
centerv,
When in the certificate export wizard there are 2 options
1) Yes, export the private key (this is greyed out and I cant select it)
2) No, do not export the private key. This is pre selected and the note following
Note: The associated private key cannot be found. Only the certificate can be exported
I then select next, the default is to export in DER X.509 (.CER) format
it is exported, when I open this file I get this message "This CA Root certificate is not trusted. to enable trust install this certificate in the Trusted Root Certification Authorities Store.
1) How can I 'install' this cert in the Trusted Root Certification Authorities Store, and password protect?
2) If I take this cert to another computer and run it and it asks "install certificate" will it be installed and will the encrypted files from the parent computer be accesable on the computer I installed the cert on?
Hopefully .... Gary
When in the certificate export wizard there are 2 options
1) Yes, export the private key (this is greyed out and I cant select it)
2) No, do not export the private key. This is pre selected and the note following
Note: The associated private key cannot be found. Only the certificate can be exported
I then select next, the default is to export in DER X.509 (.CER) format
it is exported, when I open this file I get this message "This CA Root certificate is not trusted. to enable trust install this certificate in the Trusted Root Certification Authorities Store.
1) How can I 'install' this cert in the Trusted Root Certification Authorities Store, and password protect?
2) If I take this cert to another computer and run it and it asks "install certificate" will it be installed and will the encrypted files from the parent computer be accesable on the computer I installed the cert on?
Hopefully .... Gary
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I appreciate you help, I am still trying to make this work, useing your suggestions. I have been gone a few days, I will let you know as soon as I am successful, but as yet, am still having problems, getting it working.
Gary
Gary
ASKER
Using the above suggestions, I still have not been able to accompilish my task of saving the certificates to be used on another computer. I need to get this done, I appreciate the efforts of the experts, I would like to split the points between Paranormastic and centerv, and have tried to do that but the options I see is to give all the poiints to one or the other. When I select 'accept a solution' I only have the option of giveing all the poiints to the one I have selected.
ASKER
Still have not been able to get this to work as yet.
Thanks for your suggestions ..... Gary
Thanks for your suggestions ..... Gary
Internet Options>>Content>>Certific
then click yes on the dialogue box, and OK.