Installing Root Certificates
If you’re taking your advanced home server to new levels that require you to implement security and encryption technology such as HTTPS or SSL oriented VPNs, you will be introduced to a lot of obscure concepts that you now need to know more about. Some of them involve certificates. A certificate is basically just a little file that is used for identification and encryption. If you choose to build your own security, you will need to become handy and exporting and importing root certificates into your servers and personal computers.
Most normal and happy people have no idea about root certificates and they live long and productive lives without ever caring about them. With a little effort, you will remain normal and happy, but know a little more than you did yesterday.
Your computer and browser already have a long list of root certificates installed.They are a standard feature. Root certificates are issued by Certificate Authorities to validate the authenticity of certificates issued by them to others. GoDaddy and Comodo provide this service, among others. When you use HTTPS from Amazon, a root certificate validates it’s really Amazon you’re talking to. Amazon uses an SSL certificate to encrypt the communication, and the root certificate validates the SSL certificate was issued by the Certificate Authority and it’s really Amazon.
You will only be concerned with the one you make or the one Windows Server 2012 makes for you. Windows Server 2012 Essentials, by default, installs Active Directory and a long list of other roles and features, including Active Directory Certificate Services (AD CS). If you install Windows Server 2012 Essentials, it automatically makes your server’s root certificate as a standard part of the installation process. Other versions of Windows Server 2012 install no roles by default. All trusted root certificate stores on client computers that are made a part of the domain will automatically receive copies of the root certificate installed on the server. All you need to be concerned with are workstations that are not in the domain and browsers that don’t use the computer’s certificate store.
Windows Server 2012 provides a utility from within IIS that quickly exports root certificates out of Windows Server and imports them into a certificate store of a client PC. If you use a client PC browser and call up page /certsrv from your URL, you’ll be greeted with a user id / password prompt from the server. Then you’ll be given the opportunity to download a CA certificate and either save it on the client or import it, all in one step. I would recommend you NOT use this feature. In most, if not all cases, it will import the root certificate into the personal certificate store and not the certificate store of the local machine. You’ll have to find it, export it, then import it into the trusted root certificate store of the local machine. Regardless, you’ll still have to import the root certificate manually into all browsers that don’t use the PC certificate store.
If you plan to use OpenSSL, you’ll make a root certificate that must be installed on the server and on each computer that will securely access your server.
You’ll first see how Microsoft provides flexible access to many aspects of your operating system using a tool called the Microsoft Management Console. Then you’ll see how to export and import certificates using the MMC. Finally, you’ll see how to import root certificates into Firefox.
The Microsoft Management Console (MMC) and Snap-Ins
Microsoft includes a flexible tool called the Microsoft Management Console (MMC) to manage many aspects of the operating system using snap-ins. A snap-in is a set of commands that are concerned with a major application. Some vendors also use the MMC as an interface into managing their applications. It’s easier to show it to you than explain it.
Run mmc.exe. It requires administrator level privileges. You’ll see an empty console. Click File. On the drop down menu click Add/Remove Snap-in.
You’ll see a list of all the snap-ins available to you. At this time, we’ll limit ourselves to Certificates, but feel free to build your own custom consoles later. An MMC console is just a container. If you build and save a custom console and later delete it, you’re only affecting the console. Not the snap-ins it contains.
Click Certificates. Add it to the selected snap-ins window.
Select Computer Account. Click Next.
Select Local computer. Click Finish.
You’ve made a custom MMC console. You can repeat the process and add as many snap-ins as you like. People commonly build custom consoles for a single purpose. When you’re done with your intended task and close the console, it will ask you if you want to save it or not. It’s common to answer No to avoid clutter.
Now, expand the Certificates (Local Computer) tree. It lists all the types of certificates that are possible to use. You’ll only be concerned with the Certificates folder under Trusted Root Certification Authorities today.
Exporting a Root Certificate
Now that you’ve created your console, export the root certificate from the computer its on so you can install it where it needs to be. When you export a certificate, you’re only making a copy for distribution. You’re not removing it. If you’re building a secure remote file access system such as WebDAV or an SSTP VPN, a root certificate is required for the client to connect. While root certificates from public Certificate Authorities are normally available for all and desirable to make as public as possible, you should keep your private root certificate private.
Select your root certificate. Then Right Click / All Tasks / Export.
From here on, you just follow the prompts.
Accept the defaults.
Decide where to save the file. Name it whatever you like.
Confirm and Finish.
Importing a Root Certificate
There are two ways to import your root certificate into the Trusted Root Certificate Store. This is the most reliable way. You can double click on the certificate file and be given an option to install the certificate. The wizard will decide the best place to put it or give you the option to install it where you like. There’s a good chance it will put it in the wrong place. You want to make sure it installs in the Trusted Root Certificate Store of the local machine, and not in your user store.
When you take this approach, you know exactly where it went.
Start the MMC and navigate here. Right Click / All Tasks / Import.
Locate your root certificate file and select it.
Follow the prompts.
Accept the defaults.
Confirm and Finish.
Installing Your Root Certificate into Firefox
Start Firefox. On the Tools menu, select Options. Go to the Advanced Tab. Click View Certificates.
Click Import and follow the prompts.
Check to box. Click OK. Restart your browser.