Install CA root certificates to Trusted Root Certification Authorities store

Using Xp Pro Sp3 with all updates. Want to copy my CA Root certificates to another computer. This is so I can access encrypted data saved on a USB drive. When I open the dialogue box I have 3. When I view the the Certs, I receive the error message “This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.” I have read many solutions on the site and none work for this problem. How do I “install” this cert in the Trusted Root Certification Authorities store?
GAkslandAsked:
Who is Participating?
 
centervCommented:
No, you need the key as well for it to work.  In order to export the key, you need to be logged in as the original
admin that setup the key or have a backup of the key to restore. We are talking about EFS?
You may be able to use the migrate tool to export the cer but if its a small usb drive, you can unprotect the files by putting them on a network shared folder and moving them over to another drive.
Make a new cer at next location and back up.
You should receive a warning that the files will no longer be encrypted when shared. Test before making the move.
Good luck
http://technet.microsoft.com/en-us/library/cc722147(WS.10).aspx 
0
 
acurreyCommented:
If you have the cert on the computer you want to use to access the USB drive, this is fairly simple. If you are using IE, open:
 Internet Options>>Content>>Certificates>>Trusted Root Certification Authorities>>Import>>Next>>Browse (to the location where the certs are located)>>Select the 'Place all certificates in the follwing store' and set it to 'Trusted Root Certification Authorities'>>Next
then click yes on the dialogue box, and OK.
0
 
ParanormasticCryptographic EngineerCommented:
Open Certificates MMC (local computer) - expand Personal - right-click Certificates - All tasks - Import - browse to the root cert file and finish up the wizard.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
ParanormasticCryptographic EngineerCommented:
Ack - sorry.. I just posted the wrong cert store...  almost time to go home...

For a root cert follow same instructions except instead of Personal - Certificates, do the same under Trusted Root Certification Authorities - Certificates.

If you have a subordinate CA then you might also try importing that, only do that under the Intermediate Certification Authorities section.
0
 
GAkslandAuthor Commented:
acurrey: The names of the three certs are simply my name Gary with 3 different dates. I have searched for files with *.cer extension on my disk in the date range the certs were originated. I have looked through property trying to determine what the file name actually is, but have not been successful. Having not worked with certificates before I am not able to locate the 3 files in question because I'm not sure what they are named, or where they should be on my disk.

Thanks for your help
0
 
ParanormasticCryptographic EngineerCommented:
certutil -viewstore root

This will open a box that will contain all the root certificates you have installed under the machine context, but not the default ones you get from the MS root program.

If you don't find it there, you could try a few other things like:
certutil -user -viewstore root
certutil -enterprise -viewstore root
certutil -viewstore my
certutil -user -viewstore my
certutil -viewstore ca

If you had exported it before, you might also try searching for .crt if .cer did not pan out.  If you had included the private key then it would be .pfx.  If you had included the root certificate chain the .p7b.
0
 
GAkslandAuthor Commented:
I have no certutil on this machine. It is Xp Sp3 with all updates, a Dell Professional Work Station M65 is certutil a program associated with a newer version of windows?
0
 
ParanormasticCryptographic EngineerCommented:
you can do that from a win2003 or newer server, or from vista or newer.  You can also install the win2003 sp1 adminpak and get certutil on your workstation.
0
 
GAkslandAuthor Commented:
Thank you I will try this (have been gone for a few days) to see if it works.
0
 
GAkslandAuthor Commented:
I have been reading about installing the win2003 sp1 in XP pro. There are quite a few 'gotchas'. Is there any other way to do this? The directions say I must uninstall all previous versions of the Administration Tools Pack before installing this version. If there is anyother way to write these certificates out, I would rather not take the chance of causing problems with my XP system which runs great now.
0
 
centervCommented:
certutil.exe is available in vista and win7. You may be able to copy and use in yours.
Use info here  http://www.greatis.com/vista/Utilities/c/certutil.exe.htm

If  you're using the certificates now, they're most likely under the Intermediate Certification Authority tab
at Internet Options/Conten/Certificates
Export and install in the Trusted Authority.
0
 
GAkslandAuthor Commented:
This is what I find on Microsoft's help .... there is only a specific version from 2003 Administration pack, and there are numerous "gotchas" associated with installing that. My computer is stable and runs great, I would prefer another approach if possible .........  The following from MS website

The only version of Certutil.exe that Windows XP supports is available in the Microsoft Windows Server 2003 Administration Pack. To download the Windows Server 2003 Administration Pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en)

If you have update 907247 installed on Windows XP SP2, the version of Certutil.exe that supports the -pulse command is available in the SP1 version of the Windows Server 2003 Administration Pack. To download it, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-25793a25bad7&DisplayLang=en
0
 
centervCommented:
Let me back up a bit.
Can you export the certificate as file?
0
 
ParanormasticCryptographic EngineerCommented:
You can also open the Certificates MMC under both current user and local computer and check that way by viewing each of the stores looking for your cert.
0
 
GAkslandAuthor Commented:
centerv,
When in the certificate export wizard there are 2 options
1) Yes, export the private key (this is greyed out and I cant select it)
2) No, do not export the private key. This is pre selected and the note following
Note: The associated private key cannot be found. Only the certificate can be exported

I then select next, the default is to export in DER X.509 (.CER) format

it is exported, when I open this file I get this message "This CA Root certificate is not trusted. to enable trust install this certificate in the Trusted Root Certification Authorities Store.

1) How can I 'install' this cert in the Trusted Root Certification Authorities Store, and password protect?

2) If I take this cert to another computer and run it and it asks "install certificate" will it be installed and will the encrypted files from the parent computer be accesable on the computer I installed the cert on?

Hopefully .... Gary
0
 
ParanormasticCryptographic EngineerCommented:
You don't need to password protect it - you should be importing the .cer which is the public cert, not the .pfx which has the private key.

When you install the cert, choose to manually select the store - browse - checkmark 'show physical stores' and expand Trusted root certificatino authorities' and select 'local computer' then finish up the wizard.  that would be for the root CA cert, for sub CAs the process is similar but put under 'intermediate certiciation authorities' instead of trusted root.
0
 
GAkslandAuthor Commented:
I appreciate you help, I am still trying to make this work, useing your suggestions. I have been gone a few days, I will let you know as soon as I am successful, but as yet, am still having problems, getting it working.

Gary
0
 
GAkslandAuthor Commented:
Using the above suggestions, I still have not been able to accompilish my task of saving the certificates to be used on another computer. I need to get this done, I appreciate the efforts of the experts, I would like to split the points between Paranormastic and centerv, and have tried to do that but the options I see is to give all the poiints to one or the other. When I select 'accept a solution' I only have the option of giveing all the poiints to the one I have selected.
0
 
GAkslandAuthor Commented:
Still have not been able to get this to work as yet.

Thanks for your suggestions  .....   Gary
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.