1

Server: Windows Server 2008 R2

There are a lot of instructions on how to install a certificate and they seem very straightforward. However, I am having a hard time figuring out where a certificate is installed specifically.

For example, instructions online use MMC > Certificates > Action > All Tasks > Import > Automatically Select the Certificate Store to install a certificate. However, regardless of the name of the file that is used to install, e.g., foo.cer, a valid certificate gets installed successfully but I don't know where it is installed and under what name. In other words, foo.cer is not installed as "Issued By=foo" or something similar. Rather, it's installed under whatever name is inside the certificate itself. While I can see how that happens, it's not very helpful in debugging because it's basically a guessing game. e.g., What if the filename is not the same as the "Issued By" name?

  1. How do we find out which certificate store a certificate has been installed?
  2. How do we figure out what the name of a certificate (e.g., Issued To and Issued By) that we are trying to install is installed under? This is to make sure we install the correct certificate(s) in the right location(s).

This seems like such an important ability, esp for such an important feature, namely SSL certificates so maybe we're just missing something small. Any guidance would be much appreciated. Thank you in advance.

jiminy
  • 179
  • 2
  • 2
  • 6
  • For what purpose are you trying to import an "SSL certificate"? – Celery Man Jan 11 '15 at 01:20
  • We are trying to install an SSL certificate for an HTTPS website. – jiminy Jan 11 '15 at 04:18
  • When trying to install an SSL certificate for an HTTPS website, there are root/intermediate certificates that should be installed but aren't working properly. I'd like to be able to know exactly where a certificate is being installed and under what names (e.g., installed by) to help debug. – jiminy Jan 11 '15 at 04:29
  • Are you trying to get your server to trust another HTTTPS server, or are you trying to configure IIS on _this_ server? For the latter case, the procedure is totally different. – Celery Man Jan 11 '15 at 20:09
  • I am trying to get HTTPS working for one site on this one server. Regardless, shouldn't there be a way of knowing where a certificate is being installed and under what name without manually running down the list and checking if a new certificate was added? If there are only a few certificates, that's easy but in the roots store, there are over 300 certificates installed. Please note that I'm not trying to figure out _how_ to install a certificate. I'm trying to figure out _where_ a certificate is stored (and under what name) once the "Import" procedure as described is performed. – jiminy Jan 12 '15 at 04:43
  • I may be wrong when I said "totally different". In my organisation, I wasn't the one who first acquired our certificate. When setting up servers, I work with a .pfx file supplied by one of my colleagues. This contains the cert, the private key, and possibly intermediate CAs also(?). So I put that straight into IIS management console and never need to go near the certificate store console. I have to admit that I'm not familiar with the process of initially buying and prepping the certificate. Still, the procedure in my answer should address your specific question, have you tried it? – Celery Man Jan 12 '15 at 16:42
  • The key was to use the serial number. Got it now. Thank you. Your answer was clarified to make it more clear. – jiminy Jan 12 '15 at 17:06
  • Excellent, I'm glad it worked for you. – Celery Man Jan 12 '15 at 17:35

1 Answers1

1
  1. From Windows Explorer, open the .CER file, note the "Issued to" property from the General tab, and optionally the "Serial Number" from the Details tab.
  2. Run mmc.exe (elevated if necessary), add snap-in, double click Certificates and choose from user/computer/service.
  3. Import the certificate, using the procedure described in your question.
  4. Select the root Certificates node, then Action > All Tasks > Find Certificates...
  5. Search in field Issued To (or use Serial Number if you need more specifity).
  6. Post back here which store(s) the certificate was found in.

This procedure addresses your question in the following ways:

“Q2.How do we figure out what the name of a certificate (e.g., Issued To and Issued By) that we are trying to install is installed under? This is to make sure we install the correct certificate(s) in the right location(s).”

A2. In Windows Explorer, double-click the .cer file. On the General tab, you will see “Issued to” and “Issued by”. This is Step 1 above. (If you no longer have the original .cer file because it was been deleted or lost after it was imported, then you might have a problem.)

“Q1.How do we find out which certificate store a certificate has been installed?”

A1. Use the “Find Certificates...” operation of the Certificate Management MMC. This is steps 4–5 above. Find Certificates is also available on the right-click context menu and in the Action pane.

Celery Man
  • 111
  • 6
  • Sorry, at #2, if you want to manage certificates for the computer or a service, then you have to run mmc.exe and add the snap-in. Doing certmgr.msc from a run box will only let you get to current-user certificates. Will edit answer to reflect this. – Celery Man Jan 11 '15 at 01:11
  • Look for the ['edit'](http://meta.stackexchange.com/questions/21788/how-does-editing-work) link just under your answer. That allows you to update it. – jscott Jan 11 '15 at 01:31
  • The problem is that I'm not sure if the certificate was properly added, particularly the root & intermediate certificates. The purpose of this question was to track down where exactly certs are installed. Some stores are very short, such as Personal or Intermediate but the Root store is quite huge. When i tried using a search, I would essentially be guessing at the Issued To field. The installation would be more helpful, esp in debugging, if I could see a list of "last installed" or if the "successful installation" notice describes what "installed by" (for example) a cert was installed. – jiminy Jan 11 '15 at 04:22
  • 1
    _Sorry, jiminy, I was in the middle of editing my answer when you posted your suggested edit, which was:_ “Update: The serial number is the most important part. Here is a good webpage on how to find the serial number of a certificate: https://support.comodo.com/index.php?/Knowledgebase/Article/View/706/0/how-to-find-the-thumbprintserial-number-of-a-certificate” – Celery Man Jan 12 '15 at 17:39
  • No worries. Please update your answer to include the part about serial numbers, either from what I wrote, or your own rendition. It was looking for the serial number that answered my question. As noted before, the other parts were known before asking the question. The "Issued By" and "Issued To" fields were _not_ helpful. – jiminy Jan 12 '15 at 19:37
  • It was there all the time: _‘note the "Issued to" property from the General tab, and optionally the "Serial Number" from the Details tab’_ – Celery Man Jan 13 '15 at 20:53
  • True, but it wasn't very clear for someone who is not as familiar with this process. I just wanted to emphasize that the serial number was what helped, in case others are having trouble. It would have been more helpful if your answer focused on the serial number, instead of the other fields. I was requesting for you to clarify your answer because I want to mark your answer as the correct one but as it is written, the part that helped solve my problem is not clear. Regardless, thanks much for your help and sharing my update regarding the serial number. Hope this helps someone else. – jiminy Jan 15 '15 at 07:00