This guide will walk you through the process of importing a trusted certificate chain and a client certificate into the Windows Certificate Store, specifically for use in mutual TLS (mTLS) communication in Snare Agent.
The guide includes step-by-step instructions with screenshots and GUI interactions.
Client Certificate file (.crt and .key), containing both the client certificate and private key.
Trusted Root Certificate (.crt or .cer file).
Intermediate Certificate (.crt or .cer file), if required (optional).
Open the Run Dialog:
Press Windows + R on your keyboard to open the Run dialog box.
Type mmc and click OK to open the Microsoft Management Console.
Add the Certificates Snap-in:
In the MMC window, go to File > Add/Remove Snap-in.
From the Available Snap-ins list, select Certificates and click Add.
Manage Certificates for Computer or User:
Choose Computer account if the certificate will be used by services or system-wide.
Choose My user account if the certificate will only be used by the current user.
Click Next, then Finish, and OK.
The trusted root certificate is the highest authority in the chain of trust. Intermediate certificates act as an intermediary between the root certificate and the client certificate but may not be needed in every setup.
Expand the Certificates Tree:
In the MMC, navigate to Certificates (Local Computer) (or Certificates - Current User).
Expand the tree and locate Trusted Root Certification Authorities.
Import Root Certificate:
Right-click Trusted Root Certification Authorities > All Tasks > Import.
Use the Certificate Import Wizard to browse and select your Root Certificate (.crt or .cer).
Complete the wizard, ensuring the certificate is placed in the Trusted Root Certification Authorities store.
Intermediate Certificate (Optional):
If needed, you can import the Intermediate Certificate in the Intermediate Certification Authorities section using the same process. This is only necessary if the server requires the entire chain to validate the client certificate and doesn’t already have the intermediate certificate.
Navigate to Personal Certificates:
In the MMC, expand the tree for Certificates (Local Computer) or Certificates - Current User.
Right-click Personal > All Tasks > Import.
Certificate Import Wizard:
In the Certificate Import Wizard, select your client certificate (.pfx or .p12 file).
If the certificate is protected by a password, you will be prompted to enter it.
Mark Key as Exportable (must):
During the import process, make sure to check Mark this key as exportable if you may need to export the certificate later with the private key.
Complete the wizard, and the client certificate will be added to the Personal store.