| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
This guide will walk you through the process of importing a trusted certificate chain and a client certificate into the Windows Certificate Store, specifically for use in mutual TLS (mTLS) communication in Snare Agent.
The guide includes step-by-step instructions with screenshots and GUI interactions.
Prerequisites
Client Certificate file (.crt and .key or .p12), containing both the client certificate and private key.
Trusted Root Certificate (.crt or .cer file).
Intermediate Certificate (.crt or .cer file), if required (optional).
Step-by-step instructions
Step 1: Open the Microsoft Management Console (MMC)
Open the Run Dialog:
Press Windows + R on your keyboard to open the Run dialog box.
Type mmc and click OK to open the Microsoft Management Console.
...
Choose Computer account if the certificate will be used by services or system-wide.
Choose My user account if the certificate will only be used by the current user.
Click Next, then Finish, and OK.
...
Step 2: Import the Trusted Root Certificate
The trusted root certificate is the highest authority in the chain of trust. Intermediate certificates act as an intermediary between the root certificate and the client certificate but may not be needed in every setup.
...
If needed, you can import the Intermediate Certificate in the Intermediate Certification Authorities section using the same process. This is only necessary if the server requires the entire chain to validate the client certificate and doesn’t already have the intermediate certificate.
Step 3: Import the Client Certificate (with Private Key)
Navigate to Personal Certificates:
...
During the import process, make sure to check Mark this key as exportable.
Complete the wizard, and the client certificate will be added to the Personal store.
...
Step 4: Verification
Verify the Certificates:
Navigate to Trusted Root Certification Authorities, Intermediate Certification Authorities (if used) and Personal
Confirm that the certificates are properly listed.
...
Go to Destination Configuration pagein Agent GUI, select “mTLS” in Protocol to enable the mTLS Certificate field. Confirm that the imported client certificate is listed in the list. Following figure shows that a client certificate named “Client Cert ml” which was imported is in the list.
Conclusion
You have now successfully imported both the trusted certificate chain and the client certificate with the private key exportable into the Windows Certificate Store. This setup is ready for mutual TLS communication, with the intermediate certificate being optional depending on your server's configuration.