CAcert Public-Root-Certificates manual import on Windows

By Stefan Thode

Reasons to import the CAcert Public-Root-Certificates manual:

  1. You use Windows 8/8.1/10 Technology (incl. Server 2012/2016/2019) at that the EXE-Installer does not work.
  2. You want to have them available for all users using this computer
  3. You want to have them available for services running on Windows like Outlook, Internet Explorer/Edge, Google Chrome, Operah, MS-Exchange, MS Internet-Information-Server or any other software that uses the windows certificate storage.

Preparing

Download the CAcert Public-Root-Certificates from https://www.cacert.org/index.php?id=3 in PEM Format. This results in downloading the Files "root_X0F.crt" and "class3_X0E.crt" by using Mozilla Firefox.

Go to CAcert's webpage with root certificates and their fingerprints.

CAcert Root Certificate Page

The link "Root certificate (PEM format)" corresponds to root_X0F.crt etc.:

Link

Corresponding filename

Class 1 PKI key

Root certificate (PEM format)

root_X0F.crt

Root certificate (DER format)

root_X0F.der

Root certificate (Text format)

root_X0F.txt

Class 3 PKI key

Intermediate certificate (PEM format)

class3_X0E.crt

Intermediate certificate (DER format)

class3_X0E.der

Intermediate certificate (Text format)

class3_X0E.txt

CAcert Root Certificate Files Downloaded

Start "Microsoft Management Console" and prepare it for organize certificates. Start "MMC.EXE" as Administrator

(!) Note: If you are using a Windows Domain and are a Domain Administrator you can install the certificate for all computers of the domain at once! See the paragraph #Installation_in_Windows_Domain below.

Run MMC MMC window

Add Snap-In for Certificates

In the File menu, you can find the function "Add/Remove Snap-In"

MMC Add Snap-in MMC Add Snap-in

Add Snap-In "Certificates" for the "Computer Account" and in the next screen for the "Local Computer".

(!) Note: To install the certificate for the computer you'll need administrative rights on the computer. If you are not an administrator MMC.EXE automatically selects "Current User" instead of "Local Computer". Unless the administrators have explicitly forbidden this, you can still install the root certificate following the same procesure as described here. In this case the certificate is only installed for your personal user account. If someone else logs in to the same computer, the certificate will not be installed for him/her.

Certificates Snap-in Certificates Snap-in Certificates Snap-in Certificates Snap-in

You can see the Certificates Organization for the Computer Certificates Store. Expand the certificates folder.

Local Computer Certificates

Import "root" into "Trusted Root Certification Authorities"

Import Root Certificate Import Root Certificate

The Import Wizard starts, now. Use "Local Machine" and "Next".

Import Root Certificate

Browse for file "root_X0F.crt"

Import Root Certificate

Browse for the correct Certificate Location for "root" (Trusted Root Certification Authorities)

Import Root Certificate

Finish the import of "root"

Import Summary

The next dialog may appear. Confirm that you want to import the root certificate, and that you trust the issuer. You can also check the fingerprints against the CAcert roots webpage (recommended).

Confirm Root Certificate Trust

Import Finished

And be sure you trust it. Rightclick "root" as "CA cert Signing Authority" and select Properties.

Trust check/set Trust check/set

Enable all purposes for this certificate.

Trust check/set

Import "class3" into "Intermediate Certification Authorities"

Import Class3 Certificate Import Class3 Certificate

The Import Wizard starts again.

Import Class3 Certificate

Browse for file "class3_X0E.crt"

Import Class3 Certificate

Browse for the correct Certificate Location for "class3" (Intermediate Certification Authorities)

Import Class3 Certificate

Finish the import of "class3"

Import Summary Import Finished

And again be sure you trust it. Rightclick "class3" as "CAcert Class 3 Root" and select Properties.

Trust check/set Trust check/set

Enable all purpose for "class3"

Trust check/set

The CAcert Public-Root-Certificates are successfully installed for products that uses the Windows Certificate Stores. Other Products as Firefox or Thunderbird have their own Certificate Stores, you have to import the Public-Roots into these Certificate Stores for using these products.

Installation in Windows Domain

It is possible to install certificates for all computers in a Windows Domain by using the Group Policy Editor (procedure tested on Server 2012 R2 with english language settings):


HowTo/InstallCAcertRoots (last edited 2020-01-10 15:41:12 by AlesKastner)