Menu Home

Importing self-signed SSL certs into Vista

I use SSL on my web servers for privacy and not authentication. Since it is my own use I don’t care if it’s from Verisign or Thawte. Also why shell out cash for the certificate when a self signed certificate will do just fine?

Internet Explorer used to permit you to install web server certificates by examining the SSL certificate and importing it into your key store. Version 7 of the browser took that away and made it more difficult to import them into the key store.

Here is how I imported the web server certificate into Vista.

1) Get the web server certificate.

You will need a copy of your web server cert. I run the server in question so that’s not a problem for me. All I had to do was locate the file referenced in my Apache conf file like so.

SSLCertificateFile /etc/apache2/ssl.crt/wp.crt

If you don’t have access to the certificate then download and install the Windows version of OpenSSL from this URL here. Get and install the setup binary and install with the default locations for everything.

Now from the Start menu run the Command Prompt and type in these commands.

cd “Program FilesGnuWin32bin”

openssl s_client -connect YOUR.SERVERNAME.COM:443 > %TEMP%www.crt

Type QUIT and hit enter to get the web server to disconnect you. I used %TEMP% because your user account may not have permission to write files somewhere else. In your temp directory is a file called www.crt. This is your web server certificate.

2) Run the Microsoft Management Console.

Run MMC from the Start menu

Click on the Start menu and in the search box type “mmc”. This will find and display in the list mmc.exe, double-click that or just hit enter.

Add certificates snap-in to MMC

3) Add the Certificates snap-in.

Once MMC is running you will need to add in Certificates snap-in. Use the menu File -> Add/Remove Snap-in… menu to add it. You will be prompted with a selection for “This snap-in will always manage certificate for”. You can select “My user account” or “Computer account” I opted for computer account; both work fine.

MMC certificate tree

4) Import the web server SSL certificate.

One the snap-in is installed expand the tree on the left column to get to Console Root -> Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates.

Once there select the menu Action -> All Tasks -> Import… to start the “Welcome to the Certificate Import Wizard”.

MMC certificate import wizard

Click on Next and you’ll be asked for the file to import. In the File name: field type in

%TEMP%www.crt

from when you imported the certificate using openssl.

MMC certificate store

Click on Next and you will be prompted for where to place the certificate. Just go with the default. Click Next a couple more times and you should see the message “The import was successful”.

Now the list of certificates should include the one you just imported.

Successful importing into MMC

This can be used for importing certificates from other self-signed SSL based services such as IMAPS (port 993), POP3S (port 995), or SMTPS (port 465). Once certificates are imported into the “Trusted Root Certification Authorities” store then Internet Explorer, Outlook, etc. will stop complaining.

Categories: Geek Software

Tagged as:

Jan Dembowski

7 replies

  1. I tried this method – and it says it imports – but it never appears in the list – and Outlook 2007 consequently – never accepts the connection to the remote Exchange host.

  2. Joe,

    That’s weird. I suggest you use another store instead of

    Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates

    I’ve used this with Outlook 2007 to eliminate the annoying certificate dialog box.

    Try putting it into your Personal certificate store to see if that makes a difference.

    Jan Dembowski

  3. Thank you, by using your method I was able to add an ssl certificate to use with a webdav drive. It seem that windows uses the same certificates as internet explorer.

  4. You’re welcome, I’m glad this solved a problem for you.

    It’s more accurate to say that Internet Explorer uses the same certificate store as the rest of your PC, but you get the idea.