## 20210714 AK ---- [[HowTo/InstallCAcertRoots/CZ|Ĩesky]] | '''english''' ---- = CAcert Public-Root-Certificates manual import on Windows = By Stefan Thode Reasons to import the CAcert Public-Root-Certificates manual: 1. You use Windows 8/8.1/10 Technology (incl. Server 2012/2016/2019) at that the EXE-Installer does not work. 1. You want to have them available for all users using this computer 1. You want to have them available for services running on Windows like Outlook, Internet Explorer/Edge, Google Chrome, Operah, MS-Exchange, MS Internet-Information-Server or any other software that uses the windows certificate storage. == Preparing == Download the CAcert Public-Root-Certificates from https://www.cacert.org/index.php?id=3 in PEM Format. This results in downloading the Files "root_X0F.crt" and "class3_x14E228.crt" by using Mozilla Firefox. Go to CAcert's webpage with root certificates and their fingerprints. {{attachment:CAcertR01.jpg|CAcert Root Certificate Page|width=850}} The link "Root certificate (PEM format)" corresponds to root_X0F.crt etc.: ||''Link''||''Corresponding filename''|| ||'''Class 1 PKI key'''|| || ||Root certificate (PEM format)||root_X0F.crt|| ||Root certificate (DER format)||root_X0F.der|| ||Root certificate (Text format)||root_X0F.txt|| ||'''Class 3 PKI key'''|| || ||Intermediate certificate (PEM format)||class3_x14E228.crt|| ||Intermediate certificate (DER format)||class3_x14E228.der|| ||Intermediate certificate (Text format)||class3_x14E228.txt|| {{attachment:CPRIW002.jpg|CAcert Root Certificate Files Downloaded|width=550}} Start "Microsoft Management Console" and prepare it for organize certificates. Start "MMC.EXE" as Administrator (!) '''Note''': If you are using a Windows Domain and are a Domain Administrator you can install the certificate for all computers of the domain at once! See the paragraph [[#Installation_in_Windows_Domain]] below. {{attachment:CPRIW003.JPG|Run MMC|width=550}} {{attachment:CPRIW004.JPG|MMC window|width=550}} == Add Snap-In for Certificates == In the File menu, you can find the function "Add/Remove Snap-In" {{attachment:CPRIW005.JPG|MMC Add Snap-in|width=550}} {{attachment:CPRIW006.JPG|MMC Add Snap-in|width=550}} Add Snap-In "Certificates" for the "Computer Account" and in the next screen for the "Local Computer". (!) '''Note''': To install the certificate for the computer you'll need administrative rights on the computer. If you are not an administrator MMC.EXE automatically selects "Current User" instead of "Local Computer". Unless the administrators have explicitly forbidden this, you can still install the root certificate following the same procesure as described here. In this case the certificate is only installed for your personal user account. If someone else logs in to the same computer, the certificate will not be installed for him/her. {{attachment:CPRIW007.JPG|Certificates Snap-in|width=550}} {{attachment:CPRIW008.JPG|Certificates Snap-in|width=550}} {{attachment:CPRIW009.JPG|Certificates Snap-in|width=550}} {{attachment:CPRIW010.JPG|Certificates Snap-in|width=550}} You can see the Certificates Organization for the Computer Certificates Store. Expand the certificates folder. {{attachment:CPRIW011.JPG|Local Computer Certificates|width=700}} == Import "root" into "Trusted Root Certification Authorities" == {{attachment:CPRIW012.JPG|Import Root Certificate|width=550}} {{attachment:CPRIW013.JPG|Import Root Certificate|width=550}} The Import Wizard starts, now. Use "Local Machine" and "Next". {{attachment:CPRIW014.JPG|Import Root Certificate|width=700}} Browse for file "root_X0F.crt" {{attachment:CPRIW015.jpg|Import Root Certificate|width=700}} Browse for the correct Certificate Location for "root" (Trusted Root Certification Authorities) {{attachment:CPRIW016.JPG|Import Root Certificate|width=700}} == Finish the import of "root" == {{attachment:CPRIW017.jpg|Import Summary|width=700}} The next dialog may appear. Confirm that you want to import the root certificate, and that you trust the issuer. You can also check the fingerprints against the CAcert roots webpage (recommended). {{attachment:Trust-to-CA-17a.gif|Confirm Root Certificate Trust}} {{attachment:CPRIW018.JPG|Import Finished|width=700}} And be sure you trust it. Rightclick "root" as "CA cert Signing Authority" and select Properties. {{attachment:CPRIW019.JPG|Trust check/set|width=550}} {{attachment:CPRIW020.JPG|Trust check/set|width=550}} Enable all purposes for this certificate. {{attachment:CPRIW021.JPG|Trust check/set|width=700}} == Import "class3" into "Intermediate Certification Authorities" == {{attachment:CPRIW022.JPG|Import Class3 Certificate|width=550}} {{attachment:CPRIW023.JPG|Import Class3 Certificate|width=550}} The Import Wizard starts again. {{attachment:CPRIW024.JPG|Import Class3 Certificate|width=700}} Browse for file "class3_x14E228.crt" {{attachment:CPRIW025.jpg|Import Class3 Certificate|width=700}} Browse for the correct Certificate Location for "class3" (Intermediate Certification Authorities) {{attachment:CPRIW026.JPG|Import Class3 Certificate|width=700}} == Finish the import of "class3" == {{attachment:CPRIW027.jpg|Import Summary|width=550}} {{attachment:CPRIW028.JPG|Import Finished|width=550}} And again be sure you trust it. Rightclick "class3" as "CAcert Class 3 Root" and select Properties. {{attachment:CPRIW029.JPG|Trust check/set|width=550}} {{attachment:CPRIW030.JPG|Trust check/set|width=550}} == Enable all purpose for "class3" == {{attachment:CPRIW031.JPG|Trust check/set|width=700}} The CAcert Public-Root-Certificates are successfully installed for products that uses the Windows Certificate Stores. Other Products as Firefox or Thunderbird have their own Certificate Stores, you have to import the Public-Roots into these Certificate Stores for using these products. = Installation in Windows Domain = It is possible to install certificates for all computers in a Windows Domain by using the Group Policy Editor (procedure tested on Server 2012 R2 with english language settings): * Log in to a Domain Controller using an account in the Domain Admins group * Start MMC * Add the "Group Policy Management Editor" Snap-In * Select the "Default Domain Policy" as Group Policy Object to be edited * In the policy tree find Default Domain Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities * Use the menu item "Action... -> Import" to import the CAcert root certificate. * Now the CAcert root should be shown in the list window on the right side of the treeview * In the policy tree find Default Domain Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Intermediate Certification Authorities * Import the Class 3 certificate here * Allow some time for the group policy to distribute. A day should be enough, most time the distribution is considerably faster * Use the Certificates Snap-In as described above in [[#Add_Snap-In_for_Certificates]] on any domain computer to verify that the distribution is complete. The imported certificates should already be visible in the corresponding folders. ---- . CategoryStepByStep . CategoryTutorials