Introduction

This guide will walk you through the process of importing a trusted certificate chain and a client certificate into the Windows Certificate Store, specifically for use in mutual TLS (mTLS) communication in Snare Agent.

The guide includes step-by-step instructions with screenshots and GUI interactions.

Prerequisites

1. Client Certificate file (.crt and .key or .p12), containing both the client certificate and private key.

2. Trusted Root Certificate (.crt or .cer file).

3. Intermediate Certificate (.crt or .cer file), if required (optional).

 Step-by-step instructions

Step 1: Open the Microsoft Management Console (MMC)

• Open the Run Dialog:

1. Press Windows + R on your keyboard to open the Run dialog box.

2. Type mmc and click OK to open the Microsoft Management Console.

Open

• Add the Certificates Snap-in:

1. In the MMC window, go to File > Add/Remove Snap-in.

2. From the Available Snap-ins list, select Certificates and click Add.

• Manage Certificates for Computer or User:

1. Choose Computer account if the certificate will be used by services or system-wide.

2. Choose My user account if the certificate will only be used by the current user.

3. Click Next, then Finish, and OK.

Open

Step 2: Import the Trusted Root Certificate

The trusted root certificate is the highest authority in the chain of trust. Intermediate certificates act as an intermediary between the root certificate and the client certificate but may not be needed in every setup.

• Expand the Certificates Tree:

1. In the MMC, navigate to Certificates (Local Computer).

2. Expand the tree and locate Trusted Root Certification Authorities.

• Import Root Certificate:

1. Right-click Trusted Root Certification Authorities > All Tasks > Import.

2. Use the Certificate Import Wizard to browse and select your Root Certificate (.crt or .cer).

3. Complete the wizard, ensuring the certificate is placed in the Trusted Root Certification Authorities store.

• Intermediate Certificate (Optional):

1. If needed, you can import the Intermediate Certificate in the Intermediate Certification Authorities section using the same process. This is only necessary if the server requires the entire chain to validate the client certificate and doesn’t already have the intermediate certificate.

Step 3: Import the Client Certificate (with Private Key)

• Navigate to Personal Certificates:

1. In the MMC, expand the tree for Certificates (Local Computer).

2. Right-click Personal > All Tasks > Import.

• Certificate Import Wizard:

1. In the Certificate Import Wizard, select your client certificate (.pfx or .p12 file).

2. If the certificate is protected by a password, you will be prompted to enter it.
   
   Note: If you have .crt and .key file then you need to combine them in .p12 file. The following command can be used to do so.

   openssl pkcs12 -export -out combined.p12 -inkey your_private_key.key -in your_certificate.crt -name "your_cert_alias"

• Mark Key as Exportable (must):

1. During the import process, make sure to check Mark this key as exportable.

2. Complete the wizard, and the client certificate will be added to the Personal store.

Step 4: Verification

• Verify the Certificates:

1. Navigate to Trusted Root Certification Authorities, Intermediate Certification Authorities (if used) and Personal

2. Confirm that the certificates are properly listed.

• Verify the Snare Agent:

1. Go to Destination Configuration page in Agent GUI, select “mTLS” in Protocol to enable the mTLS Certificate field. Confirm that the imported client certificate is listed in the list. Following figure shows that a client certificate named “Client Cert ml” which was imported is in the list.
   
   

Conclusion

You have now successfully imported both the trusted certificate chain and the client certificate with the private key exportable into the Windows Certificate Store. This setup is ready for mutual TLS communication, with the intermediate certificate being optional depending on your server's configuration.