Importing and exporting certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Importing and exporting certificates

The Certificates snap-in provides administrative tools to export and import certificates, including their certification paths and private keys, if needed. You can export certificates to or import certificates from PKCS #12 files, PKCS #7 files, and binary-encoded X.509 certificate files.

Importing a certificate

You might want to import a certificate:

  • To install a certificate that was sent to you in a file by another user, computer, or certification authority.

  • To restore a damaged or lost certificate that you previously backed up.

  • To install a certificate and its associated private key from a computer that the certificate holder was previously using.

When you import a certificate, you copy the certificate from a file that uses a standard certificate storage format to a certificate store for your user account or your computer account.

Exporting a certificate

You might want to export a certificate:

  • To back up a certificate.

  • To back up a certificate and its associated private key.

  • To copy a certificate for use on another computer.

  • To remove a certificate and its private key from the certificate holder's current computer for installation on another computer.

When you export a certificate, you are copying the certificate from its certificate store to a file that uses a standard certificate storage format.

Standard certificate file formats

You can import and export certificates in the following formats:

  • Personal Information Exchange (PKCS #12)

    The Personal Information Exchange format (PFX, also called PKCS #12) enables the transfer of certificates and their corresponding private keys from one computer to another or from a computer to removable media.

    PKCS #12 (Public Key Cryptography Standard #12) is an industry format that is suitable for transport or backup and restoration of a certificate and its associated private key. This can be between products from the same vendor or different vendors.

    To use the PKCS #12 format, the cryptographic service provider (CSP) must recognize the certificate and keys as exportable. If a certificate was issued from a Windows Server 2003 or Windows 2000 certification authority, the private key for that certificate is only exportable if one of the following is true:

    • The certificate is for EFS (Encrypting File System) or EFS recovery.

    • The certificate was requested through the Advanced Certificate Request certification authority Web page with the Mark keys as exportable check box selected.

    Because exporting a private key might expose it to unintended parties, the PKCS #12 format is the only format supported in the Windows Server 2003 family for exporting a certificate and its associated private key.

  • Cryptographic Message Syntax Standard (PKCS #7)

    The PKCS #7 format enables the transfer of a certificate and all the certificates in its certification path from one computer to another, or from a computer to removable media. PKCS #7 files typically use the .p7b extension, and are compatible with the ITU-T X.509 standard. PKCS #7 allows for attributes, such as countersignatures, to be associated with signatures, and attributes such as signing time can be authenticated along with message content. For more information on PKCS #7, see the PKCS #7 page at the RSA Labs Web site.

  • DER Encoded Binary X.509

    DER (Distinguished Encoding Rules) for ASN.1, as defined in ITU-T Recommendation X.509, is a more restrictive encoding standard than the alternative BER (Basic Encoding Rules) for ASN.1, as defined in ITU-T Recommendation X.209, upon which DER is based. Both BER and DER provide a platform-independent method of encoding objects such as certificates and messages for transmission between devices and applications.

    During certificate encoding, most applications use DER because a portion of the certificate (the CertificationRequest's CertificationRequestInfo) must be DER-encoded to be signed.

    This format might be used by certification authorities that are not on computers running Windows Server 2003 , so it is supported for interoperability. DER certificate files use the .cer extension.

    For more information, see the document "ITU-T Recommendation X.509, Information Technology--Open Systems Interconnection--The Directory: Authentication Framework," at the International Telecommunication Union (ITU) Web site.

  • Base64 Encoded X.509

    This is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet. Base64 encodes files into ASCII text format, making corruption less likely as the files are sent through Internet gateways, while S/MIME provides some cryptographic security services for electronic messaging applications, including non-repudiation of origin using digital signatures, privacy and data security using encryption, authentication, and message integrity.

    The MIME (Multipurpose Internet Mail Extensions) specification (RFC 1341 and successors) defines a mechanism for encoding arbitrary binary information for transmission by electronic mail.

    Because all MIME-compliant clients can decode Base64 files, this format might be used by certification authorities that are not on computers running Windows Server 2003 , so it is supported for interoperability. Base64 certificate files use the .cer extension.

    For more information, see the document "RFC 2633 S/MIME Version 3 Message Specification, 1999," at the Internet Engineering Task Force (IETF) Web site.

Choosing an export format

If you are exporting certificates to be imported onto a computer running Windows, PKCS #7 format is the preferred export format, primarily because this format preserves the chain of certification authorities, or the certification path, of any certificate that includes countersignatures associated with signatures.

If you are exporting certificates for import onto a computer running another operating system, it is possible that the PKCS #7 format is supported. If it is not supported, the DER Encoded Binary format or the Base64 Encoded format are provided for interoperability.

For more information, see Import a certificate, Export a certificate, Export a certificate with the private key, and View the certificates in a PKCS #7 file.

Note