SensorNet and Digital Certificates:

Managing Certificates In Internet Explorer

This howto was contributed to the EJBCA project by SensorNet.

Internet Explorer (IE) stores certificates for all Microsoft applications because they all share the same security context. This architecture means that a flaw in Internet Explorer affects all of Windows, and vice versa. Therefore, if you choose to use Internet Explorer for browsing, you must be extra careful to keep your PC secure. We strongly recommend that you consider the much more modern and secure Mozilla browser. You will be glad that you did.


Accessing your certificates

To access your certificate cache in IE, in the Tools menu, select Internet Options and then the Content tab (Figure 1).

Content Manu
Figure 1.

Click the certificates tab to display your certificate store (Figure 2).

IE Certificate store
Figure 2.

Exporting your certificate and keys

The first thing you want to do is to export your certificate so that it is backed up in a safe place, and also so that you can then import it into other browsers on this or other computers. Select you identity as shown above and click the Export button. The Certificate Export Wizard will appear (Figure 3).

Certificate export wizard
Figure 3.

Click Next, and then choose to export the private key (Figure 4). Without the private key, the certificate is only useful to others.

Export the private key
Figure 4.
Click Next, and the Export File Format screen will appear (Figure 5).  Make the selections shown below. The PKCS #12 format is the standard format understood by other browsers. Include the certificates in the path so that the SensorNetCA certificate will be included in the export. For sure, enable strong protection. Without that, your private key will be unprotected.

Export file format
Figure 5.

Because you enabled strong protection, a password box will appear when you click Next as shown in Figure 6. Be sure to choose a good password -- at least 8 characters including letters, numbers, and special characters with no dictionary words.

Figure 6.

Choose the file name for the exported key (Figure 7). I always make a special directory on my hard disk (and protect it so that only I have access) to store my keys in. Unfortunately, Microsoft insists on using the ".pfx" file extension for this rather than the more universal ".p12".

export file name
Figure 7.

You then get a chance to review your choices in the final screen of the Wizard (Figure 8).

Final review
Figure 8.

When you click Finish, you will get a pop-up asking for your CryptoAPI Private Key (Figure 9). This is the password you originally used to protect the certificate when you obtained it from the SensorNetCA. Never check the "Remember password" box.

CryptoAPI key
Figure 9.

Finally you are done! Be sure to copy your exported certificate to a floppy or a CD so that it is stored off of your computer in case you need to rebuild it, loose a hard drive, etc. Go look at the instructions for Mozilla to see how much easier this is.

Trusting the SensorNetCA

The next thing to do is to make sure that you trust the SensorNet Certificate Authority. Start at the screen in Figure 2 and select the Trusted Root Certification Authorities Tab. You might have to scroll the horizontal arrows near the top-right of the dialog in order to access this tab.  You should be able to find the SensorNetCA listed (Figure 10). The SensorNetCA certificate should have been imported automatically when you obtained your SensorNet Certificate.

Trusted root CA
Figure 10.

In case you cannot find the SensorNetCA listed, you will have to import it manually into IE. To do this, go to to access the SensorNet certificate retrieval page (Figure 11). Click the "Fetch CA and OSCP certificates" link.

Certificate retrieval page
Figure 11.

Click the link blue link in Figure 12 for Internet Explorer to import the SensorNet CA certificate. The OSCP responder certificate allows your browser to check the validity of certificates whenever they are used. However, you can only choose one OSCP responder, so unless SensorNet is the only secure site you use, do not get the OSCPResponder certificate.

Fetch CA certificate
Figure 12.

When the Import Certificate Wizard comes up, be sure to select the certificate store manually. Choost the Trusted Root Certification Authorities store. Then return to Figure 10 and find the SensorNetCA certificate.  Click the Advanced button to display the purposes for which you trust this certificate (Figure 13). They are probably all checked by default, but if not, make sure you check them all. This is not a very good situation because trust should not be enabled by default!

Trusted uses
Figure 13.

Importing your certificate and keys

Start from Figure 2 and click the Import button. The Import Certificate Wizard will appear (Figure 14).

Import wizard
Figure 14.

You must then find the file for the certificate you wish to import (Figure 15). In the browse file selection window, you may need to change the file selection type to see the different certificate types that can be imported (Figure 16)

Finding the certificate
Figure 15.
File types
Figure 16.

Clicking Next will bring up a password dialog (Figure 17). This is the password you used when you exported the certificate in Figure 6.  Be sure to check the boxes to enable strong protection and to mark the key as exportable. It is unfortunate that every default chosen by Microsoft leads to the lowest level of security possible, so you must continually override their bad intentions.

certificate password
Figure 17.

The next screen allows you to choose the key store for the certificate. If it is one of your certificates, use the default personal store. Otherwise, select one of the choices from the pop-up launched by the Browse button (Figure 18). If unsure, select the automatic radio button.

Import store
Figure 18.

Finally, the Wizard completion screen appears (Figure 19). But once again, Microsoft firces you to set the security to a higher level.

Figure 19.

The "Importing a new private exchange key" pop-up appears with the security level set to Medium (Figure 20).

New protected item
Figure 20.

Just as you did when you originally got your SensorNet certificate, click the "Set Security Level" button and select "High" in Figure 21.

Select High protection
Figure 21.

Again you will be asked for a password to protect this item. It is the one for the CryptoAPIKey you used in Figure 9. You should then (finally!) see the Figure 20 with the secutity Level set to High.  Click OK, and the certificate will appear in your cache.