This site requires JavaScript to be enabled
152 views

How to import and export personal and CA certificates into and from applications

Introduction

Once you get your certificate and install it in a browser, you can export it to a file and then import it into other applications (typically other browsers or email clients). The methods used for importing and exporting into/from a given application are typically similar up to the point where you choose Import or Export and you either browse for an existing file to import or provide a file name and location for export.

For security reasons, we recommend that you restrict importation of this certificate to applications on your own desktops or laptops ONLY.

Guard the file into which you export your certificate very carefully! It contains your encrypted private key. Follow the instructions for protecting it.

Note: The CA certificates for the OSG PKI are referred to as the OSG CAs below.

Dealing with certificates in files for import or export needs a bit of clarification on file formats.  Typically, your OSG personal certificate will be delivered to you from OSG in a .p12 file (also known as a .pfx file) which is a PKCS#12 format binary, multi-part file.  The file from OSG contains both your personal certificate and your private key (hence the need for secure storage of your .p12 files).  CA certificates are usually downloaded as PEM format, Base-64 encoded files holding a single certificate.  These files will usually have a file extension of either .pem or .cer.  See this note for more information on certificate file formats.

 Quick links to sections (below) for individual applications or operating systems:

 Note: The exact menu and dialog items listed below may differ depending on the software version when it differs from those tested for this document.

Firefox Browser (any OS)

First import the CA certificate:

Depending on how the CA certificates are imported into the Firefox certiticate store, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so personal certificates will function properly for all purposes.

Import your personal certificate:

Export your personal certificate:

 

Thunderbird Mail (any OS)

Thunderbird does not share the same certificate store as Firefox. You'll need to import the certificates into this application after using a browser to download them or request them.

First import the CA certificates:

Depending on how the CA certificates are imported into the Thunderbird certiticate store, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so personal certificates will function properly for all purposes.

Import your personal certificate:

 

Windows 7 Applications

Windows systems in the FERMI Domain have the OSG CA certificates installed by a domain GPO (Group Policy Object).  With the CA certificates installed, ordinary users can import their personal certificates successfully.  Otherwise, the article Issues with Certificate in Windows 7 discusses problems encountered with installing certificates in (non-Domain) WIndows 7 systems and how to workaround lthe problems.

Microsoft Internet Explorer IE9

Export your personal certificate:

Import your personal certificate:

Microsoft Outlook 2010

Once you have imported a certificate into your IE browser, Outlook can access it from the same store, so there's no need to import it. There's also no need to export it from Outlook since you can export it from IE. See instructions for IE.

That said, if you still want to export your certificate from Outlook, you can. Here are the instructions:

 

 

Mac Applications and Keychain Files

The Mac OS handles certificates (and other sensitive information) using keychain files. There is information about keychain files in the standard Mac help files. In a nutshell, certificates are stored in protected keychain files and some browsers and email applications access the certificates via these files. We recommend that you create a new keychain file to handle your PKI certificate(s). If you double-click a PKCS#12 (.p12) file or a PEM-format file (either .pem or .cer) then the Keychain Access application will automatically start and import your certificates, otherwise to do so manually:

If you have only one certificate, and you only plan to use Mac-native applications with your certificate (Safari and Mac mail), you're done. These applications will find the certificate as needed.

Depending on how the OSG CA certificates are imported into the Macintosh keychain, the trust settings (aka certificate purposes) of these certificates may not be set properly.  The article Manually Editing Trust Settings for CA Certificates contains instructions for correcting this problem so OSG certificates will function properly for all purposes.

Safari

Safari consults the keychain files on your Mac for a certificate by default. Once you have your certificate and private key in a keychain file, your certificate should automatically be presented to restricted websites as needed. The first time you use it, Safari will prompt you to find out if you want to use the found certificate just this once or always. The prompt will occur each time until you click "Always".

If you have multiple certificates in your keychain file, you'll need to set the access control on your keychain such that Safari knows which one to use.

Mac Mail

Mac Mail consults the keychain files on your Mac for a certificate by default. Once you have your certificate and private key in a keychain file, Mac Mail can access it. When you compose a new message, you will see the icons for encrypting (a lock) and signing (a check if enabled, an X if not) on the right-hand side of the message window. The signing icon should always be available to you; the encrypting icon is greyed out unless your correspondent has already sent you a signed email and your system has stored his certificate and public key.

If you have multiple certificates in your keychain file, you'll need to set the access control on your keychain such that Mail knows which one to use.

 

Download CA certificates for import into applications

Copies of the CA certificates for OSG CAs, CIlogon and the CERN Grid CA are available from Trusting Certificates and CA Certificate Downloads. Using a browser into which you want to import the CA certificates, download these as needed. Different applications may need different combinations of these files.

 

Security measures for exported (backup) certificates

It is recommended that the certificate file you export from your browser be kept only on removable media. When you first export this file, copy it to a local drive that is inaccessible to the network in a directory protected from access by other users, import it into applications as necessary, then remove it from your machine after you're done, saving it on removable media for future use. The export form of your certificate is usually a PKCS#12 (.p12) file which includes your private key.  The private key is separate from the certificate (but included in the .p12 file) and the piece of information you want to protect from access by other users.

Please follow these security guidelines with regard to your pem file, private key and related files:

Authored by Fang Wang
Last modified 4 months ago