Certificate management under Windows

Certificate management under Windows

Certificates enable you to communicate in encrypted form or to identify yourself (authenticate). Among other things, certificates come in the form of a file with the file extension crt, cert, pem, pf7, p12, pfx, der, p7b or p7c.

In this example, a p12 and a crt file are considered.

Windows Datei-Explorer mit p12- und crt-Datei

The p12 files (or pfx files) can be used to restrict access to a web server via the https protocol. In the example they contain the "badge" to authenticate with the web server. This certificate is encrypted with a password. It corresponds to an "access card" to a protected area.

Furthermore, the figure above shows a "crt-file" that provides the public part of the certificate to the issuing "certificate authority" (or "CA" for short). This certificate is not encrypted and can be
Personal certificate for authentication in the https protocol

You will receive such a file in the rules from the service provider by mail or as a download.

Abbildung einer E-Mail mit einer p12-Datei in der Anlage

Save the file on your computer (e.g. in the "Downloads" folder) or open the file directly from the mail client attachment (Outlook in the example above).

Datei "CERT_.p12" im Ordner Downloads

If you have previously saved the file, open it by double-clicking on the file.

The certificate import wizard opens.

Zertifikatsimport-Assistent (Schritt 1 ... Aktueller Benutzer)

Certificates can be made available to anyone who logs on to this computer, then they belong in the certificate store "Local Computer" or just "Current User", i.e. the person who has just logged on to the computer.

Select "Current User" as "Certificate Store" and click "Next".

Zertifikatsimport-Assistent (Schritt 2 ... Pfad zum Zertifikat wird angezeigt)

The file name (in the example a temporary folder, because I opened the attachment from Outlook) is shown above. Click on "Next".

Zertifikatsimport-Assistent (Schritt 3 ... Kennwort eingeben)

You will be asked for the password that was used to encrypt the certificate. The password is also provided by the service provider that sent you the certificate.

Enter the password and click "Next".

Zertifikatsimport-Assistent (Schritt 4 ... Zertifikatsspeicher automatisch auswählen)

If the password is correct, you will be asked for the certificate store where the certificate should be stored.

{xtypo_info}The default is "Select certificate store automatically (based on the certificate type)", which is usually OK, but the certificate from the example will be found later in the certificate store "My Certificates". {/xtypo_info}

I leave the setting as preset in the figure above and click on "Next".

Zertifikatsimport-Assistent (Schritt 5 ... Zusammenfassung ... Fertig stellen)

A short summary is displayed. Click on "Finish".

Zertifikatsimport-Assistent (Schritt 6 ... Meldung: Der Importvorgang war erfolgreich)

The certificate is now imported.

Managing certificates under Windows

To find out where the certificate has ended up, open the application "Manage user certificates" under Windows (press the Windows key briefly ... Enter certificates ... Select the "Manage user certificates" application ... Alternatively, you can find the application in the Control Panel).

{xtypo_info}Key combination [Windows key] + [r] press... then enter "certmgr.msc" ... ENTER.{/xtypo_info}

Windows 10 - Starten der Zertfifikatsverwaltung

I always use the Windows key and enter the application I want to open. Here is a video about it:

{mp4}certificate management-windows-01{/mp4}

You will now see an overview of the certificate stores. I should have automatically sorted the certificate we have just imported into the certificate store "Own certificates".

Windows 10 - Zertifikatsverwaltung (Aktueller Benutzer)

Applications such as browsers (e.g. Chrome, Edge, Opera or other browsers based on Chromium) use the "Windows certificate store" to identify themselves to the web server. This means that you should now open the page https://vc.edv-workshops.com ...

Microsoft Edge - Aufruf eine Webseite, die durch ein Client-Zertifikat abgesichert ist - Auswahl des Zertifikates

... the browser (in the figure above the Edge) will find the certificate and ask if it should use it for authentication. When I click OK, the page is displayed.

Microsoft Edge - Aufruf eine Webseite, die durch ein Client-Zertifikat abgesichert ist

Note that the page does not exist on the public Internet and was created for this documentation only.

Further Information

A nice overview of the formats of certificates can be found at https://www.antary.de/2017/03/11/zertifikate-ein-ueberblick-der-verschiedenen-formate/?cookie-state-change=1591420997591