Skip to main content

Import a certificate into Windows

Import a CA certificate into the certificate keystore of a Windows machine

The importcert.py script can be used to import a certificate into the keystore of a Windows server or client machine in order to authenticate TLS communications.

Optional preparation

Note

These optional steps need not be completed before importing the certificate, but they must be completed before testing the certificate.

Use one of the following methods to import a certificate:

  1. Open an Administrator command prompt by clicking the Start button, typing "cmd", and selecting "Run as administrator".

    Note

    The script will exit with a warning if it is not run with Administrator privileges.

    commandPrompt.svg
  2. At the command prompt, navigate to <faircom>\tools\certman\

  3. Execute python importcert.py

    The script will detect the key-pair that you previously created and ask:

    Would you like to import the certificate at Certs\Expires_On_2034-08-12\ca.crt?

  4. If you respond "yes", you are prompted to "Press ENTER to proceed".

    importCerts-Yes.svg

    If you respond "no", you are prompted for the public key filename (ca.crt in our example) to import.

    importCerts-no.svg

The import was successful and the certificate was added to the keystore.

  1. Click the Start button and enter "certificate".

  2. Open "Manage user certificates"

    ManageUserCertificates.svg
  3. Open the "Trusted Root Certification Authorities" folder.

  4. Open the "Certificates" folder.

  5. From the "Action" menu select "All Tasks" and click the "Import…" option.

    Manage-Import.svg
  6. Browse to find and select the CA certificate you wish to import, then click "Next".

    Browse.svg
  7. Leave the Certificate store as "Trusted Root Certification Authorities" and click "Next"

    TrustedRoot.svg
  8. Click "Finish"

    A pop-up appears saying "The import was successful."

    Success-popup.svg

The import was successful and the certificate was placed in the certificate keystore.

  1. Open "Manage user certificates"

    ManageUserCertificates.svg
  2. Confirm that the imported certificate is in the "Certificates" folder underneath the "Trusted Root Certification Authorities" folder:

    confirm.svg
  3. Test the connection using one of the following methods:

    Note

    Before testing, you must create a server certificate that is signed by the CA certificate you just imported and configure the FairCom server to use the server certificate.

  1. Connect to the FairCom server.

    After importing the new CA certificate, Chrome may still show an insecure connection.

    chromeNOTSecure.svg

    This is usually caused by performing the import while Chrome is running.  If you close all Chrome windows and relaunch them it should trigger a refresh of the list of trusted CA certificates. However, Chrome has at least one option that may cause it to remain running in the background after closing all windows. To force Chrome to restart, save all of your work and in the address bar enter chrome://restart.

  2. When Chrome shows a secure connection icon to the left of the address, click the icon and you should see "Connection is secure".

    chromeSecure.svg

Python version 3.7 and later can access the OS certificate keystore.  This support may be library dependent. Follow these steps to test with the "requests" library

  1. Install the pip-system-certs package:

    pip install pip-system-certs
  2. Run these two lines of code (change 127.0.0.1 to the address of your server):

    import requests
    print( requests.Session().post( "https://127.0.0.1:8443/api", data = '{"api": "admin","action": "pingSession"}' ).json() )
  3. A successful run will show the following:

    {'errorCode': 0, 'errorMessage': ''}