Share via

A Step-by-Step Guide to Advanced Certificate Management


This guide takes explains the administrative process of obtaining and managing certificates in the Windows® 2000 operating system, using the Certificates Microsoft Management Console (MMC) snap-in.


Requirements and Prerequisites

This guide assumes the following environment:

  • You are using Windows 2000 Server in a Windows 2000-based domain.

  • You are a domain administrator or the administrator of the local computer.

  • You have a Windows 2000 Certification Authority running enterprise policy in the network.

This step-by-step guide assumes that you have run the procedures in Step-by-Step to a Common Infrastructure for Windows 2000 Server Deployment

The common infrastructure documents specify a particular hardware and software configuration. If you are not using the common infrastructure, you need to make the appropriate changes to this document. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available at the Windows 2000 Product Compatibility Search site

This guide assumes you have already completed:

  • Step by Step Guide to Setting up a Certificate Authority

  • Step by Step Guide to Certificate Services Web Pages

If you are unfamiliar with MMC snap-ins, we recommend you also run

Advanced Certificate Management in Windows 2000

Managing User Certificates

This section explains how to use the Certificates MMC snap-in to manage certificates.

To start the Certificates MMC snap-in

  1. From the Start menu, click Run. Type mmc in the text box and click OK. An MMC snap-in Console window launches.

  2. On the Console menu, click Add/Remove Snap-in.

  3. Click Add to add a snap-in to the current console.

  4. Select Certificates in the Snap-in list, click Add, and click Close.

  5. Click OK to close the Add/Remove Snap-in dialog box. The Certificates directory is now added to the MMC console.

    Note: If you are on a domain controller, when you select Certificates, a dialog box appears asking you whether you would like to manage certificates for My user account, Service account, or Computer account. For this scenario, select My user account, click Finish, and continue.

  6. On the Console menu, click Save as, and type Certificates as the file name of this console. Click Save. To access the Certificates console in the future, click Start, point to Programs, point to Administrative Tools, and then click Certificates.

Obtaining a Certificate from a Certification Authority on Your Windows 2000 Domain

To obtain a certificate, the certification authority must be installed as either a root or subordinate enterprise Certificate Authority (CA).

To obtain a certificate

  1. In the Certificates console, right-click the Personal node.

  2. Click All Tasks on the context menu, and click Request New Certificate as in Figure 1 below. The Certificate Request Wizard launches. Click Next.


    Figure 1: Request New Certificate

  3. Select the certificate template that you want the new certificate to be based on. In this scenario, select User. Click Next.

  4. Enter a friendly name or a description, if desired. Click Next.

  5. Click Finish to send the certificate request to the CA.

  6. Click Install Certificate to install the certificate to the certificate store. You can also view the certificate before installation by clicking View Certificate.

Viewing a Certificate

You may need to look at your certificates in the certificate stores.

  1. Open the Certificates management console. In the left pane, expand the certificate store that contains the certificate you want to view.

  2. Click the Certificates folder to see the list of certificates in that store.

  3. Right-click the certificate that you want to view, then click Open. (You can also view a certificate by double-clicking it).

    The certificate dialog is organized into three tabs.

    • The General tab is the default view for a certificate's intended uses.

    • The Details tab displays the actual X.509 fields, extensions, and properties of a certificate. You can click Edit Properties in this view to modify the Friendly Name and Description fields. You can also specify the purpose of the certificate.

    • The Certification Path tab displays the certification path, which is the source from which the certificate was issued.

Exporting Certificates

You can back up important certificates and their corresponding private keys, or move them to another computer.

Note: To enable exporting the private key with the certificate, that option must be chosen when a user requests a certificate using the Web enrollment form. For more information on this, see "A Step-by-Step Guide to Certificate Services Web Pages."

To export certificates

  1. Right-click the certificate(s) you want to export.

  2. Point to All Tasks on the context menu, and click Export to launch the Certificate Export Wizard. Click Next.

  3. If the certificate that you are exporting has a corresponding private key in the system, you can choose to export the private key with the certificate.

    Note: You will only be able to export to a Personal Information Exchange PKCS#12 file if you want to export the private key.

  4. Select the export file format from the options as shown in Figure 2 below.


    Figure 2: File Export Options

  5. Click Next. If the file specified is a Personal Information Exchange—PKCS #12 (*.pfx), you will be prompted for the password. Enter your password to export the file. Click Next.

  6. Enter the name of the file you want to export. Click Next.

  7. Verify the choices you have made in the wizard. Click Finish to export to the file.

Importing Certificates

You may restore certificates and the corresponding private keys from a file.

  1. Right-click the certificate store you want to import, and click Install PFX on the context menu.

  2. The Certificate Import Wizard launches. Click Next.

  3. In the File name text box, type the name of the certificate file that you want to import. Alternatively, you can find the file by clicking Browse.

  4. Click Next. If the file specified is a Personal Information Exchange–PKCS #12 (*.pfx), you will be prompted for the password. Enter the password to import the file. Click Next.

  5. On the next page, select where you'd like to store the certificate. Click Next.

  6. The next wizard page contains summary information about the file that you are importing. Click Finish to import the file. The certificate(s) are now ready for use by the system.

Managing a Computer's Certificates

The Certificates MMC snap-in can be used to manage a computer's certificates.

  1. Start the MMC by clicking Run on the Start menu. Then type in mmc.exe in the text box and click OK.

  2. On the Console menu, click Add/Remove Snap-in.

  3. Click Add to add a snap-in to the current console.

  4. Select Certificates and then click Add.

  5. Select the Computer account option and then click Next.

  6. Select the Another computer option. Type the name of the computer you want to manage (or click Browse to select from a list). Click Finish.

  7. Close the Add Standalone Snap-in dialog box, and then click OK to close the Add/Remove Snap-in dialog box. You have now created the console with which to manage your computer's certificates.

  8. On the Console menu, click Save As. In the File name text box, type a name for this console, and then click Save.

Important Notes

The example company, organization, products, people, and events depicted in this step-by-step guide are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization—for such information see the Active Directory documentation.