This site requires JavaScript to be enabled
Knowledge Home|Create Incident|Print
How To > How to import and export personal and CA certificates into and from applications
How to import and export personal and CA certificates into and from applications
Article: KB0010813 Published: 2013-01-22 Last modified: 2017-06-26

How to import and export personal and CA certificates into and from applications

Introduction

Once you get your certificate and install it in a browser, you can export it to a file and then import it into other applications (typically other browsers or email clients). The methods used for importing and exporting into/from a given application are typically similar up to the point where you choose Import or Export and you either browse for an existing file to import or provide a file name and location for export.

For security reasons, we recommend that you restrict importation of this certificate to applications on your own desktops or laptops ONLY.

Guard the file into which you export your certificate very carefully! It contains your encrypted private key. Follow the instructions for protecting it.

Note: The CA certificates for the OSG PKI are referred to as the OSG CAs below.

Dealing with certificates in files for import or export needs a bit of clarification on file formats.  Typically, your OSG personal certificate will be delivered to you from OSG in a .p12 file (also known as a .pfx file) which is a PKCS#12 format binary, multi-part file.  The file from OSG contains both your personal certificate and your private key (hence the need for secure storage of your .p12 files).  CA certificates are usually downloaded as PEM format, Base-64 encoded files holding a single certificate.  These files will usually have a file extension of either .pem or .cer.  See this note for more information on certificate file formats.

 Quick links to sections (below) for individual applications or operating systems:

 Note: The exact menu and dialog items listed below may differ depending on the software version when it differs from those tested for this document.

Firefox Browser (any OS)

First import the CA certificate:

  • Click the menu icon and select Preferences (or Options if using Windows). If you are using a Mac, you can also find Preferences under the Firefox menu instead.

  • Open the Advanced category and click the Certificates tab. Then click View Certificates.

  • In the Certificate Manager window, open the Authorities tab.

  • Look for existing CA certificates in the list. If they are in the list, go to "Import your personal certificate" below. For any of these that is not in the list, continue here.

  • Click the Import button at the bottom of the window.

  • It prompts you to select an existing file; select the CA certificate file from the location where you saved it.

  • A "Downloading Certificate" dialog box appears and asks "Do you want to trust <name> for the following purposes?". Click all three boxes. View if you like, then click OK. The certificate will appear in Firefox's CA list.

  • Repeat for other CA certs as needed.

Depending on how the CA certificates are imported into the Firefox certiticate store, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so personal certificates will function properly for all purposes.

Import your personal certificate:

  • Follow the same procedure as above, but in the Certificate Manager window, open the Your Certificates tab and click Import.

  • Browse for your .pfx or .p12 file (you got this when you exported your file from the primary browser), and select it. If this file was protected by a password during export, you'll need to enter that same password at this point. The browser should inform you that your certificate was successfully imported (or restored).

Export your personal certificate:

  • Follow the same procedure as above until you're in the Certificate Manager window. Open the Your Certificates tab and click Export. Follow the instructions (similar to SeaMonkey).

 

Thunderbird Mail (any OS)

Thunderbird does not share the same certificate store as Firefox. You'll need to import the certificates into this application after using a browser to download them or request them.

First import the CA certificates:

  • From the Edit menu, select Preferences (If you are using a Mac, you can find it under the Thunderbird menu). Open the Advanced category and click Certificates.

  • In the Manage Certificates and Devices section, click Manage Certificates.

  • In the Certificate Manager window, open the Authorities tab.

  • Click the Import button at the bottom of the window.

  • It prompts you to select an existing file; select the CA certificate file from the location where you saved it.

  • A "Downloading Certificate" dialog box appears and asks "Do you want to trust <name> for the following purposes?". Click all three boxes. View if you like, then click OK. The certificate will appear in Thunderbird's CA list.

  • Repeat for other CA certs as needed.

Depending on how the CA certificates are imported into the Thunderbird certiticate store, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so personal certificates will function properly for all purposes.

Import your personal certificate:

  • From the Edit menu, select Preferences (If you are using a Mac, you can find it under the Thunderbird menu instead). Open the Advanced category and click Certificates.

  • In the Manage Certificates and Devices section, click Manage Certificates.

  • In the Certificate Manager window, the Your Certificates tab should automatically open. (If not, select it.)

  • Click the Import button at the bottom of the window.

  • It prompts you to select an existing file; select your certificate file from the location where you saved it when you exported it.

  • It prompts you to provide the Master Password; enter it.

  • It prompts you to provide the password used to encrypt the certificate backup; enter it.

  • It should say "Successfully restored your certificate(s) and private key(s)." Click OK.

 

Windows 7 Applications

Windows systems in the FERMI Domain have the OSG CA certificates installed by a domain GPO (Group Policy Object).  With the CA certificates installed, ordinary users can import their personal certificates successfully.  Otherwise, the article Issues with Certificate in Windows 7 discusses problems encountered with installing certificates in (non-Domain) WIndows 7 systems and how to workaround lthe problems.

Microsoft Internet Explorer IE9

Export your personal certificate:

  • From the Tools menu, click Internet Options. Open the Content tab, and click Certificates.
  • In the Certificates window, select your certificate and click Export.
  • Work through the Certificate Export Wizard to export your certificate into a Personal Information Exchange (.pfx) file. You need to click the Yes, export the private key radio button. And, on the following screen, make sure the Enable strong protection box is checked.
  • You will be prompted for a password to export the certificate; remember this password, as you will need it to re-import the certificate into another browser and/or machine.
  • We recommend that you rename the resulting .pfx file to have a .p12 extension since the file is really in PKCS#12 format (Microsoft just calls it something else).

Import your personal certificate:

  • From the Tools menu, select Internet Options.  Open the Content tab, and click Certificates.
  • In the Certificates window, select your certificate and click Import.
  • Work through the Certificate Import Wizard to import your certificate file. When browsing for the correct file,  change the "Files of type" field from *.cer, *.crt to *.pfx, *.p12.
  • You will be prompted for the password used to encrypt the private key when the certificate was initially exported. Enter it.
  • You will want to select the Enable strong private key protection and Mark this key as exportable radio buttons.
  • You can select whatever storage you want. It's easiest to put all the certificates in the Personal store.
  • Click Finish to exit the wizard. It will take a moment to execute the import.
  • A window pops up to say the application is creating a protected item, and for you to select the security level. Leaving it at medium (the default) is fine. Click OK.
  • A window pops up to say the import was successful. Click OK.

Microsoft Outlook 2010

Once you have imported a certificate into your IE browser, Outlook can access it from the same store, so there's no need to import it. There's also no need to export it from Outlook since you can export it from IE. See instructions for IE.

That said, if you still want to export your certificate from Outlook, you can. Here are the instructions:

    • From the File menu, select Options.The Outlook Options window will appear.

    • Click on Trust Center, then on Trust Center Settings.

    • Click the Email Security. Under Digital IDs (Certificates) click on the  Import/Expot button.

    • Select Export and then click on Select to pick the certificate (Digital ID) to export.

    • Choose the Certificates you wish to export from the list, then click OK. The Digital ID text box will be filled in.

 

  • Select a filename and location for the file and enter a password for the file and click OK.  The password is used to encrypt and protect your exported certificate.

 

Mac Applications and Keychain Files

The Mac OS handles certificates (and other sensitive information) using keychain files. There is information about keychain files in the standard Mac help files. In a nutshell, certificates are stored in protected keychain files and some browsers and email applications access the certificates via these files. We recommend that you create a new keychain file to handle your PKI certificate(s). If you double-click a PKCS#12 (.p12) file or a PEM-format file (either .pem or .cer) then the Keychain Access application will automatically start and import your certificates, otherwise to do so manually:

  • Make sure you have your certificate (and its CA and root CA certificates) available to the system (e.g., on removable media or in a protected area of the hard drive).

  • Go to Applications -> Utilities -> Keychain Access.

  • Do these to create a new keychain. Otherwise the login keychain (recommended to use) will be used to store your certificates.

    • Select File -> New Keychain.
    • Type the keychain file name and choose a location for it, then click Create.
    • Enter a password, and remember the password!
  • Select File > Import Items, and import all the CA certificates (e.g. in the case of OSG PKI, the OSG Root and CA-1 certificates). You may need to use your login password to access the keychain file.

    Alternatively, you can drag the certificate file and drop it on the Keychain Access icon (if it is in the Dock) or just double-click the file if it has a recognized file extension (.p12 or .pfx for PKCS#12 format files).

  • Next select your new keychain file if you are using one. Otherwise the login keychain will be used.

  • Select File > Import Items, and import your personal certificates. You will need to use the original export password to get the certificate, and your password for the new keychain file to put it into this keychain file.

If you have only one certificate, and you only plan to use Mac-native applications with your certificate (Safari and Mac mail), you're done. These applications will find the certificate as needed.

Depending on how the OSG CA certificates are imported into the Macintosh keychain, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so OSG certificates will function properly for all purposes.

Safari

Safari consults the keychain files on your Mac for a certificate by default. Once you have your certificate and private key in a keychain file, your certificate should automatically be presented to restricted websites as needed. The first time you use it, Safari will prompt you to find out if you want to use the found certificate just this once or always. The prompt will occur each time until you click "Always".

If you have multiple certificates in your keychain file, you'll need to set the access control on your keychain such that Safari knows which one to use.

Mac Mail

Mac Mail consults the keychain files on your Mac for a certificate by default. Once you have your certificate and private key in a keychain file, Mac Mail can access it. When you compose a new message, you will see the icons for encrypting (a lock) and signing (a check if enabled, an X if not) on the right-hand side of the message window. The signing icon should always be available to you; the encrypting icon is greyed out unless your correspondent has already sent you a signed email and your system has stored his certificate and public key.

If you have multiple certificates in your keychain file, you'll need to set the access control on your keychain such that Mail knows which one to use.

 

Download CA certificates for import into applications

Copies of the CA certificates for OSG CAs, CIlogon and the CERN Grid CA are available from Trusting Certificates and CA Certificate Downloads. Using a browser into which you want to import the CA certificates, download these as needed. Different applications may need different combinations of these files.

  • The OSG PKI certificates are issued by the OSG CA for which you need both the OSG Root and CA-1 certificates as listed on the  Trusting Certificates and CA Certificate Downloads page.  Please download the PEM format files, which have a .cer file extension.

  • The CERN Grid CA requires both the CERN Grid CA Authority 2 and the CERN Grid CA Authority certificates.  You can download the PEM format files (which have a .crt file extension) or use the direct-import link on the Trusting Certificates and CA Certificate Downloads page.
  • To import directly into your browser, left click on each (one at a time). A "Downloading Certificate" dialog box appears and asks "Do you want to trust <name> for the following purposes?". Click all three boxes. View if you like, then click OK. The certificate will appear in your browser's CA list (under Authorities or a similar tab).  Otherwise you will have to manually import the CA certificates as outlined above.

  • You cannot export these files from a browser. If you need to import them into other applications, either repeat the above steps for each application, or right-click the files and save them to disk for later importation.

  • Depending on how the OSG CA certificates are imported into the certiticate stores of the Mozilla applications and the Macintosh keychain, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so OSG certificates will function properly for all purposes.

  • The article Issues with Certificate in Windows 7 discusses problems encountered with installing certificates in (non-Domain) WIndows 7 systems and how to workaround lthe problems.

 

Security measures for exported (backup) certificates

It is recommended that the certificate file you export from your browser be kept only on removable media. When you first export this file, copy it to a local drive that is inaccessible to the network in a directory protected from access by other users, import it into applications as necessary, then remove it from your machine after you're done, saving it on removable media for future use. The export form of your certificate is usually a PKCS#12 (.p12) file which includes your private key.  The private key is separate from the certificate (but included in the .p12 file) and the piece of information you want to protect from access by other users.

Please follow these security guidelines with regard to your pem file, private key and related files:

  • DO NOT copy it to or store it in a directory that is accessible to the network.
  • DO NOT copy it to or store it in a directory that is accessible by anyone besides yourself.

:     
Was this helpful?
YesNo
Rate this article