JSI Tip 5295. How do I manage certificates in Windows 2000?
May 9, 2002
NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.
Microsoft Knowledge Base article Q320878 contains:
IN THIS TASK
SUMMARY
How to Add the Certificates Snap-in to MMC
Adding a Certificates Snap-in for Your User Account
Adding a Certificates Snap-in for a Computer
Adding a Certificates Snap-in for a Service
How to Configure Display Options
Displaying Certificate Stores in Logical Store Mode or Purpose Mode
Displaying Archived Certificates
How to Request and Renew Certificates
Requesting a Certificate
Requesting a Certificate with the Same Key
Renewing a Certificate with a New Key
Renewing a Certificate with the Same Key
How to Import and Export Certificates
Importing a Certificate
Exporting a Certificate
REFERENCES
SUMMARY
This step-by-step article describes how to perform managerial tasks for certificates in Windows 2000. To complete the procedures that are described in this article, you must be a member of the Administrators group on a computer that is running Windows 2000 Advanced Server.
back to the top
How to Add the Certificates Snap-in to MMC
If you want to manage certificates for your user account, a computer, or a service, you must add separate Certificates snap-ins to Microsoft Management Console (MMC).
Adding a Certificates Snap-in for Your User Account
Click Start, click Run, type mmc, and then click OK.
On the Console menu, click Add/Remove Snap-in, and then click Add.
Under Snap-in, double-click Certificates, and then perform one of the following steps, as appropriate:
If you are logged on as an administrator, click My user account, and then click Finish.
If you are logged on as a user, wait for the Certificates snap-in to load automatically.
Click Close.
Certificates - Current User appears on the list of selected snap-ins for the new console.
If you do not want to add more snap-ins to the console, click OK.
To save this console, click Save on the Console menu.
back to the top
Adding a Certificates Snap-in for a Computer
Log on to the computer as an administrator.
Click Start, click Run, type mmc, and then click OK.
Click Add/Remove Snap-in on the Console menu, and then click Add.
Under Snap-in, double-click Certificates, click Computer account, and then click Next.
Perform one of the following steps, as appropriate:
To manage certificates for the local computer, click Local computer, and then click Finish.
To manage certificates for a remote computer, click Another computer, either type the name of the computer or click Browse to select the computer name, and then click Finish.
Click Close.
Certificates Computer Name appears on the list of selected snap-ins for the new console.
If you do not want to add another snap-in to the console, click OK.
To save this console, click Save on the Console menu.
NOTE: To manage certificates for another computer, you can either create another instance of the Certificates snap-in in the console or right-click Certificates Computer Name and click Connect to Another Computer. back to the top
Adding a Certificates Snap-in for a Service
Log on to the computer as an administrator.
Click Start, click Run, type mmc, and then click OK.
Click Add/Remove Snap-in on the Console menu, and then click Add.
Under Snap-in, double-click Certificates, click Service account, and then click Next.
Perform one of the following steps, as appropriate:
To manage certificates for services on your local computer, click Local computer, and then click Next.
To manage certificates for a remote computer, click Another computer, either type the name of the computer or click Browse to select the computer name, and then click Finish.
Click the service for which you are managing certificates.
Click Finish, and then click Close.
Certificates - Service Service name on Computer name appears on the list of selected snap-ins for the new console.
If you do not want to add another snap-in to the console, click OK.
To save this console, click Save on the Console menu.
NOTE: To manage certificates for a service on another computer, you can either create another instance of the Certificates snap-in in the console or right-click Certificates Computer Name, and then click Connect to Another Computer. back to the top
How to Configure Display Options
Displaying Certificate Stores in Logical Store Mode or Purpose Mode
Open the MMC that contains the Certificates snap-in.
Click Certificates - certificate holder, where certificate holder is one of the Certificates snap-ins that you created (user, computer, or service).
Click Options on the View menu.
Under Organize view mode by, click either of the following items:
Logical Certificate Stores-or-
Certificate purpose
back to the top
Displaying Archived Certificates
Open the MMC that contains the Certificates snap-in.
Click Certificates - certificate holder, where certificate holder is one of the Certificates snap-ins that you created (user, computer, or service).
Click Options on the View menu.
Under Show the following, click to select the Archived certificates check box.
NOTE: Archived certificates are certificates that have expired or have been renewed. In many situations, it is good practice to retain archived certificates rather than delete them. For example, you must keep an archived certificate to verify digital signatures on old documents that are signed by using the key on the expired or renewed certificate.
back to the top
How to Request and Renew Certificates
Requesting a Certificate
Open the MMC that contains the Certificates snap-in.
In the console tree, click one of the Certificates snap-ins that you created (such as Certificates - Current User or Certificates Computer Name).
Perform one of the following steps, as appropriate:
If you are working in the Logical Certificate Stores view mode, click Personal.
If you are working in the Certificate Purpose view mode, click the appropriate certificate purpose mode.
Point to All Tasks on the Action menu, and then click Request New Certificate to start the Certificate Request Wizard.
In the Certificate Request Wizard, configure the appropriate settings:
Enter the type of certificate you want to request.
Enter the cryptographic service provider (CSP) you are using.NOTE: Enter this information if you have selected Advanced Options.
Turn on strong private key protection. If you turn on strong private key protection, you are prompted for a password every time the private key is used. This setting is useful if you want to make sure that the private key is not used without your knowledge. NOTE: Configure this option if you have selected Advanced Options.
If you have more than one certification authority (CA) available, enter the name of the CA that issues the certificate. NOTE: Enter this information if you have selected Advanced Options.
Enter a friendly name for your new certificate.
After you complete the Certificate Request Wizard, click Install Certificate.
Use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you must request certificates by using Web pages. A Windows 2000 CA has its Web pages located at http:server_namecertsrv, where server_name is the name of Windows 2000-based server that is hosting the CA.
NOTE: To request a Digital Signature Standard (DSS) certificate from an enterprise CA, select the User Signature Only certificate template in the Certificate Request Wizard.
back to the top
Requesting a Certificate with the Same Key
Open the MMC that contains the Certificates snap-in.
In the console tree, click Certificates under Personal.
In the details pane, click the certificate that is associated with the public key that you want to associate with the new certificate.
On the Action menu, point to All Tasks, and then click Request Certificate with New Key to start the Certificate Request Wizard.
In the Certificate Request Wizard, enter the following information:
Enter the type of certificate that you want to request.
If you have more than one certification authority (CA) available, enter the name of the CA that issues the certificate. NOTE: Enter this information if you have selected Advanced Options.
Enter a friendly name for your new certificate.
After you complete the Certificate Request Wizard, click Install Certificate.
back to the top
Renewing a Certificate with a New Key
Open the MMC that contains the Certificates snap-in.
In the console tree, click Certificates under Personal.
In the details pane, click the certificate that you want to renew.
On the Action menu, point to All Tasks, and then click Renew Certificate with New Key to start the Certificate Renewal Wizard.
In the Certificate Renewal Wizard, perform one of the following steps:
Use the default values to renew the certificate.
If you are an advanced user, provide your own certificate renewal settings. You must know the CSP and the CA that is issuing the certificate.
Turn on strong private key protection. If you turn on strong private key protection, you are prompted for a password every time the private key is used. This setting is useful if you want to make sure that the private key is not used without your knowledge.
After you complete the Certificate Renewal Wizard, click Install Certificate.
After you remove the certificate, the old certificate is archived.
Use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you must request certificates by using Web pages. A Windows 2000 CA has its Web pages located at http:server_namecertsrv, where server_name is the name of Windows 2000-based server that is hosting the CA.
You can renew certificates that are issued to Internet Information Services (IIS) 5.0 Web servers by using the Web Site Certificate Wizard in Internet Services Manager rather than the Certificates snap-in. If you have IIS installed on your Windows 2000-based server, see the IIS Help topic "Using the New Security Task Wizards" for more information about how to use the Web Site Certificate Wizard to import the contents of a .key file.
back to the top
Renewing a Certificate with the Same Key
Open the MMC that contains the Certificates snap-in.
In the console tree, click Certificates under Personal.
In the details pane, click the certificate that you want to renew.
On the Action menu, point to All Tasks, and then click Renew Certificate with Same Key to start the Certificate Renewal Wizard.
In the Certificate Renewal Wizard, perform one of the following steps:
Use the default values to renew the certificate.-or-
Enter your own certificate renewal settings. To do so, you must know the CA that is issuing the certificate.
After you complete the Certificate Renewal Wizard, click Install Certificate.
back to the top
How to Import and Export Certificates
Importing a Certificate
Open the MMC that contains the Certificates snap-in.
In the console tree, click Certificates under Personal.
Click Import on the All Tasks menu to start the Certificate Import Wizard.
Click the file that contains the certificates that you are importing.
NOTE: If the file that contains the certificates is a Personal Information Exchange (PKCS #12) file, type the password that you used to encrypt the private key, click to select the appropriate check box if you want the private key to be exportable, and then turn on strong private key protection (if you want to use this feature).
NOTE: To turn on strong private key protection, you must use the Logical Certificate Stores view mode.Perform one of the following steps:
If you want the certificate to be automatically placed in a certificate store based on the type of certificate, click the appropriate check box. -or-
Specify the location where you want to store the certificate.
You can import a certificate into any logical store. In most situations, you import certificates into either the personal store or the trusted root certification authorities store, depending on whether the certificate is intended for you or if it is a root CA certificate.
To start the Certificate Import Wizard, right-click a file that contains an exported certificate. If you are using either DER Encoded Binary X.509 formatted files (that use a .cer file name extension) , Base64 Encoded X.509 formatted files (that use a .cer file name extension), or Cryptographic Message Syntax Standard (PKCS #7) formatted files (that use a .p7b file name extension), start Microsoft Windows Explorer, right-click the file, and then click Install Certificate. If you are using an #PKCS #12 formatted file (that uses a .pfx file name extension), start Windows Explorer, right-click the file, and then click Install PFX.
The file from which you import certificates remains intact after you import the certificates. You can use Windows Explorer to delete the file if you no longer use it.
If you are moving an IIS Web site and its public keys and private keys from a server that is running Windows NT 4.0 to a server that is running Windows 2000, you cannot use the Certificates snap-in to import the contents of a .key file that you created by using the IIS Web Site Certificate Wizard. You can import only the keys and certificate from a .key file to a server that running Windows 2000 by using the Web Site Certificate Wizard that is included in IIS 5.0. However, you do so only if you are moving the Web site from one computer to another. If you upgrade the Web server's operating system from Windows NT 4.0 to Windows 2000, it automatically uses the existing keys and certificate.
If you have IIS installed on your Windows 2000-based server, see the IIS Help topic "Using the New Security Task Wizards" for more information about how to use the Web Site Certificate Wizard to import the contents of a .key file.
back to the top
Exporting a Certificate
Open the MMC that contains the Certificates snap-in.
Perform one of the following steps:
If you are using Logical Certificate Stores view mode, in the console tree, expand Certificates - Certificate holder, expand Logical store, and then click Certificates.
If you are in Certificate Purpose view mode, in the console tree, expand Certificates - Certificate holder, and then click Purpose.
In the details pane, click the certificate that you want to export.
On the Action menu, point to All Tasks, and then click Export.
In the Certificate Export Wizard, click No, do not export the private key.
NOTE: This option appears only if the private key is marked as exportable and you have access to the private key.
Select one of the following file formats that you want to use to store the exported certificate:
A DER-encoded file
A Base64-encoded file
A PKCS #7 file
NOTE: If you are exporting the certificate to a PKCS #7 file, decide if you want include all certificates in the certification path. After you complete the Certificate Export Wizard, the certificate both remains in the certificate store and exists in the newly created file. If you want to remove the certificate from the certificate store, you must delete it.
back to the top
REFERENCES
For more information about managing certificates, see the following Microsoft Web site:
back to the top
About the Author
You May Also Like