Adding a Trusted CA Certificate to the Computer’s Certificate Store on Windows XP Professional

When a client connects to a Web server, and that server accepts client certificates, it challenges the client to present a certificate issued by list of trusted CAs.  When using IIS the list of trusted CAs is obtained from the computer’s certificate store (not the IIS Certificate Trust List (CTL) as one might expect).

  1. Select windows ‘start’ and then ‘Run….

  1. When the ‘Run’ dialog opens type mmc /a’ to open the Microsoft Management Console (MMC) and click ‘OK’.

  1. When the MMC opens select ‘File’ and then ‘Add/Remove Snap-in….

  1. When the ‘Add/Remove Snap-in’ tab pane opens select ‘Standalone’ and then click ‘Add….

  1. When the ‘Add Standalone Snap-in’ dialog box opens select ‘Certificates’ and then click ‘Add’.

  1. When the ‘Certificate snap-in’ pane opens select ‘Computer account’ and then click ‘Next >’.

  1. When the ‘Select Computer’ pane opens select ‘Local computer: (the computer this console is running on)’ and then click ‘Finish’.

  1. Close the ‘Add Standalone Snap-in’ dialog box.  Notice the new ‘Certificates (Local Computer)’ entry in the ‘Add/Remove Snap-in’ tab pane and click ‘OK’ for the changes to take affect.

  1. The MMC will now have a ‘Certificates (Local Computer)’ entry under the ‘Console Root’.  Open the tree ‘Console Root->Certificates (Local Computer)->Trusted Root Certificates->Certificates’.  Right click on the ‘Certificates’ node and select ‘All Tasks->Import….

  1. When the ‘Certificate Import Wizard’ opens click ‘Next >’.

  1. When the ‘File to Import’ pane opens enter the file name (including the full path) of the certificate or select ‘Browse…. 

  1. Browse to the desired certificate file and then click ‘Open’.

  1. Once the file name is entered click ‘Next >’.

  1. The ‘Certificate Store’ pane will open.  Ensure ‘Place all certificates in the following store’ is selected and the ‘Trusted Root Certification Authorities’ is listed as the ‘Certificate Store:’.  Click ‘Next >’ once confirmed.

  1. The ‘Completing the Certificate Import Wizard’ pane will open.  Click ‘Finish’.

  1. When the ‘Certificate Import Wizard’ status dialog appears click ‘OK’.

  1. You can confirm the certificate has been imported by looking in the certificates list.

  1. Repeat steps 9-17 for each CA certificate you wish to import and then close the MMC.  You do not need to save the changes to the console for the certificates to take effect (it is simply saving the GUI preferences).



Back to Web Page Access Control Using PKI
PKI Lab Home

Dartmouth College PKI Lab
Last update:
26 February 2003