Adding Self-Signed PKI to Windows Trusted Certificate Store

This is part two of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.

Disclaimer: I am not a security expert. This is just the easiest way I have found to create and utilize SSL for my homelab services.

Prerequisites

Exporting Certificates from XCA

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab
  4. Right click the Intermediate CA certificate > Export > File
  5. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  6. Click OK
  7. Right click the Root CA certificate > Export > File
  8. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  9. Click OK

Importing Certificates Into Windows Certificate Store

  1. Right click the Start Button > Run
  2. Type mmc.exe, press enter
  3. Click File > Add/Remove Snap-in...
  4. Click Certificates
  5. Click Add
  6. Select Computer account
  7. Click Next
  8. Select Local computer
  9. Click Finish
  10. Click OK
  11. Expand Certificates > Trusted Root Certification Authorities
  12. Right click the second level Certificates > All Tasks > Import....
  13. Click Next
  14. Click Browse > Select the exported Root CA .crt file > Click Next
  15. Verify Include all extended properties is checked
  16. Click Next
  17. Click Next
  18. Click Finish
  19. Expand Certificates > Intermediate Certification Authorities
  20. Right click the second level Certificates > All Tasks > Import....
  21. Click Next
  22. Click Browse > Select the exported Intermediate CA .crt file > Click Next
  23. Verify Include all extended properties is checked
  24. Click Next
  25. Click Next
  26. Click Finish