Import TLS certificates into Windows Certificate Store

2min
Perform the following tasks to import the TLS certificates.
Import the certificates using Microsoft Management Console (MMC) and the Certificates Snap-In
1
Open Microsoft Management Console by pressing Windows+R to open Run, then type "mmc" in the empty box and click [ OK ].
2
At the top of the MMC window, select File > Add/Remove Snap-in.
3
In the Add or Remove Snap-ins window, select Certificates and click [ Add ].
4
Select the Computer account radio button and click [ Next ].
5
Select Local computer (selected by default) and click [ Finish ].
6
Back in the Add or Remove Snap-ins window, click [ OK ].
7
In the MMC main console, expand the Certificate snap-in.
8
Navigate to the Personal > Certificates pane.
9
Right-click within the Certificates panel and select All Tasks > Import to start the Certificate Import Wizard.
10
Local Machine should be selected as the Store Location. Click [ Next ] to continue.
11
Click [ Browse ], find and select the leaf certificate file (i.e., IgDemo.pem), then click [ Next ].
12
Leave the default option selected to place all certificates in the Personal certificate store, then click [ Next ].
13
Review the summary of the selected options, then click [ Finish ]. (Note: A notification window should pop up stating that the import was successful.)
14
Navigate to the Trusted Root Certificate Authorities > Certificates pane.
15
Right-click within the Certificates panel and select All Tasks > Import to start the Certificate Import Wizard.
16
Local Machine should be selected as the Store Location. Click [ Next ] to continue.
17
Click [ Browse ], find and select the CA certificate file (i.e., Ca.pem), then click [ Next ].
18
Leave the default option selected to place all certificates in the Trusted Root Certificate Authorities certificate store, then click [ Next ].
19
Review the summary of the selected options, then click [ Finish ].
Associate the certificates with their corresponding private keys stored on the HSM using certutil
1
The serial numbers of both the CA certificate and the leaf certificate need to be noted down for use in the certutil commands that follow. To do so, double-click on each of the certificates, navigate to the Details tab, and note down the listed serial number value.
2
Open Windows PowerShell or Command Prompt as an administrator.
3
Run the following command to associate the leaf certificate with its corresponding private key stored on the HSM:
Be sure to substitute "serial_number" with the actual certificate serial number value.
"My" represents the Personal certificate store.
PowerShell
$ certutil -repairstore -csp "Futurex CNG" My "serial_number"
$ certutil -repairstore -csp "Futurex CNG" My "serial_number"
﻿
4
Run the following command to associate the CA certificate with its corresponding private key stored on the :
"Root" represents the Trusted Root Certification Authorities certificate store.
PowerShell
$ certutil -repairstore -csp "Futurex CNG" Root "serial_number"
$ certutil -repairstore -csp "Futurex CNG" Root "serial_number"
﻿
5
For further confirmation that both certificates are now associated with their corresponding private keys on the , double-click each of the certificates in the MMC Certificates snap-in and you should now see a message stating that "You have a private key that corresponds to this certificate".
﻿
Updated 06 Dec 2024
Did this page help you?
Generate a key pair and certificate on the CryptoHub
Certificate validation