Importing self-signed SSL certs into Vista

I use SSL on my web servers for privacy and not authentication. Since it is my own use I don’t care if it’s from Verisign or Thawte. Also why shell out cash for the certificate when a self signed certificate will do just fine?

Internet Explorer used to permit you to install web server certificates by examining the SSL certificate and importing it into your key store. Version 7 of the browser took that away and made it more difficult to import them into the key store.

Here is how I imported the web server certificate into Vista.

1) Get the web server certificate.

You will need a copy of your web server cert. I run the server in question so that’s not a problem for me. All I had to do was locate the file referenced in my Apache conf file like so.

SSLCertificateFile /etc/apache2/ssl.crt/wp.crt

If you don’t have access to the certificate then download and install the Windows version of OpenSSL from this URL here. Get and install the setup binary and install with the default locations for everything.

Now from the Start menu run the Command Prompt and type in these commands.

cd “Program FilesGnuWin32bin”

openssl s_client -connect YOUR.SERVERNAME.COM:443 > %TEMP%www.crt

Type QUIT and hit enter to get the web server to disconnect you. I used %TEMP% because your user account may not have permission to write files somewhere else. In your temp directory is a file called www.crt. This is your web server certificate.

2) Run the Microsoft Management Console.

Click on the Start menu and in the search box type “mmc”. This will find and display in the list mmc.exe, double-click that or just hit enter.

3) Add the Certificates snap-in.

Once MMC is running you will need to add in Certificates snap-in. Use the menu File -> Add/Remove Snap-in… menu to add it. You will be prompted with a selection for “This snap-in will always manage certificate for”. You can select “My user account” or “Computer account” I opted for computer account; both work fine.

4) Import the web server SSL certificate.

One the snap-in is installed expand the tree on the left column to get to Console Root -> Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates.

Once there select the menu Action -> All Tasks -> Import… to start the “Welcome to the Certificate Import Wizard”.

Click on Next and you’ll be asked for the file to import. In the File name: field type in

%TEMP%www.crt

from when you imported the certificate using openssl.

Click on Next and you will be prompted for where to place the certificate. Just go with the default. Click Next a couple more times and you should see the message “The import was successful”.

Now the list of certificates should include the one you just imported.

This can be used for importing certificates from other self-signed SSL based services such as IMAPS (port 993), POP3S (port 995), or SMTPS (port 465). Once certificates are imported into the “Trusted Root Certification Authorities” store then Internet Explorer, Outlook, etc. will stop complaining.