|
sidemenu
|
Introduction
Once you get your certificate from a CA and install it in a
browser, you can export it to a file and then import it into other
applications (typically browsers and email clients). The methods used
for importing and exporting into/from a given application are typically
similar up to the point where you choose Import or Export and you
either browse for an existing file to import or provide a file name and
location for export.
For security reasons, we recommend that you restrict importation of
this certificate to applications on your own desktop or laptop ONLY.
Guard the file into which you export your certificate very carefully! It contains your encrypted private key. Follow the instructions for protecting it.
Netscape v7.2 / Mozilla 1.8a5 Browser (any OS)
First import the CA certificate:
- From the Edit menu select Preferences and open the Privacy & Security category and click on the Certificates item.
- In the Manage Certificates section, click on the Manage Certificates button.
- In the Certificate Manager window the Your Certificates tab should automatically open. (If not, select it.)
- In the Certificate Manager window open the Authorities tab.
- Look for the ESnet, DOEGrids, and Fermilab KCA certs in the list. For any that is not there, continue.
- Click the Import button at the bottom of the window.
- It prompts you to select an existing file; select the CA certificate file from the location where you saved it. (You'll need to do DOEGrids, ESnet, and the Fermilab KCA in three separate import operations.)
- A "Downloading Certificate" dialog
box appears and asks "Do you want to trust <name> for the
following purposes?". Click all three boxes. View if you like, then
click OK. The certificate will appear in the browser's CA list.
- Repeat for other CA certs as needed.
Import your personal certificate (e.g., if it was exported from a different browser):
- From the Edit menu select Preferences and open the Privacy & Security category and click on the Certificates item.
- In the Manage Certificates section, click on the Manage Certificates button.
- In the Certificate Manager window the Your Certificates tab should automatically open. (If not, select it.)
- Click the Import button at the bottom of the window.
- It prompts you to select an existing file; select your
certificate file from the location where you saved it when you exported
it.
- It prompts you to provide the Master Password; enter it, if you have set one.
- It prompts you to provide the password used to encrypt the certificate backup; enter it.
- It should say "Successfully restored your certificate(s) and private key(s)." Click OK.
Export your personal certificate:
- From the Edit menu select Preferences and open the Privacy & Security category and click on the Certificates item.
- In the Manage Certificates section, click on the Manage Certificates button.
- In the Certificate Manager window the Your Certificates tab should automatically open. (If not, select it.)
- To export your DOEGrids or KCA personal certificate, click on it to select it, and click the Backup button at the bottom of the window.
- You'll be prompted to specify a filename and location for the PKCS#12-format certificate file (file extension will be .p12 in UNIX/Linux, .pfx in Windows). Provide them and click OK.
- A dialog box requesting the Master Password may appear
(the password and certificate database). If you have set a Master
Password, provide it. If not, you can make one up and provide it
(optional). Remember this password!
- You'll be prompted to make up and (twice) enter a second
password. This one is for restoring this particular backup of this
certificate. Remember this password!
- Once the system says it's successfully backed up your certificate and private key, click OK.
Firefox v1.5.0.7 Browser
First import the CA certificate:
- From the Tools menu select Options and open the Advanced category, Security tab, and open the View Certificates item.
- In the Certificate Manager window open the Authorities tab.
- Look for the ESnet, DOEGrids, and Fermilab KCA certs in
the list. If there, go to "Import your personal certificate", below.
For any of these that is not there, continue here.
- Click the Import button at the bottom of the window.
- It prompts you to select an existing file; select the CA certificate file from the location where you saved it. (You'll need to do DOEGrids, ESnet, and the Fermilab KCA in three separate import operations.)
- A "Downloading Certificate" dialog box
appears and asks "Do you want to trust <name> for the following
purposes?". Click all three boxes. View if you like, then click OK. The
certificate will appear in Thunderbird's CA list.
- Repeat for other CA certs as needed.
Import your personal certificate:
- Follow the same procedure as above, but in the Certificate Manager window open the Your Certificates tab. Click Import.
- Browse for your pfx or p12 file (you got this when you
exported your file from the primary browser), and select it. If this
file was protected by a password during export, you'll need to enter
that same password at this point. The browser should inform you that
your certificate was successfully imported (or restored).
Export your personal certificate:
- Follow the same procedure as above until you're in the Certificate Manager window. Open the Your Certificates tab. Click Export. Follow the instructions (similar to Netscape/Mozilla).
Thunderbird v1.0.7 Mail
Thunderbird does not use the same certificate
store as Firefox; you'll need to import them into this application.
First import the CA cert.
- From the Tools menu select Options and open the Advanced category and open the Certificates item.
- In the Manage Certificates and Devices section, click on the Manage Certificates button.
- In the Certificate Manager window open the Authorities tab.
- Click the Import button at the bottom of the window.
- It prompts you to select an existing file; select the CA certificate file from the location where you saved it. (You'll need to do DOEGrids, ESnet, and the Fermilab KCA in three separate import operations.)
- A "Downloading Certificate" dialog box
appears and asks "Do you want to trust <name> for the following
purposes?". Click all three boxes. View if you like, then click OK. The
certificate will appear in Thunderbird's CA list.
- Repeat for other CA certs as needed.
Import your personal certificate.
- From the Tools menu select Options and open the Advanced category and open the Certificates item.
- In the Manage Certificates and Devices section, click on the Manage Certificates button.
- In the Certificate Manager window the Your Certificates tab should automatically open. (If not, select it.)
- Click the Import button at the bottom of the window.
- It prompts you to select an existing file; select your
certificate file from the location where you saved it when you exported
it.
- It prompts you to provide the Master Password; enter it.
- It prompts you to provide the password used to encrypt the certificate backup; enter it.
- It should say "Successfully restored your certificate(s) and private key(s)." Click OK.
Windows Applications
Microsoft Internet Explorer v6.0:
Export your personal certificate:
- From the Tools
menu, select Internet Options
and then the Content
tab, and click the Certificates
button.
- In the Certificates window,
select your certificate and click the Export
button.
- Work through the Certificate
Export Wizard
to export your certificate into a Personal Information Exchange (.pfx)
file. You will want to select the Yes,
export the private
key radio button and, on the
following screen, make sure the Enable
strong protection
box is checked.
- You will be prompted
for a password to export the certificate; remember this password, as you
will need it to re-import the certificate into another browser and/or
machine.
- We recommend that you
rename the resulting .pfx
file to have a .p12
extension since the file is really in PKCS#12 format (Microsoft just
calls it something else).
Import your personal certificate:
- From the Tools menu, select Internet Options and then the Content tab, and click the Certificates button.
- In the Certificates window, select your certificate and click the Import button.
- Work through the Certificate Import Wizard to import your certificate file. When browsing for the correct file, be sure to change the "Files of type" field from *.cer, *.crt to *.pfx, *.p12.
- You will be prompted for the password used to encrypt the private key when the certificate was initially exported. Enter it.
- You will want to select the Enable strong private key protection and Mark this key as exportable radio buttons.
- You can select whatever storage you want, it's easiest to put all the certificates in the Personal store.
- Click Finish to exit the wizard. It will take a moment to execute the import.
- A window pops up to say the application is creating a
protected item, and for you to select the security level. Leaving it at
medium (the default) is fine. Click OK.
- A window pops up to say the import was successful. Click OK.
Microsoft Outlook (Microsoft Office 2003)
Once you've imported a certificate into your IE
browser, Outlook can access it from the same store, so there's no need
to import it. There's also no need to export it from Outlook since you
can export it from IE. See instructions for IE.
That said, if you still want to export your certificate from Outlook, you can. Here are instructions:
- From the Tools menu, select Options.
- Select the Security tab.
- Click the “Import/Export…” button.
- Select the “Export your Digital ID to a file” radio button.
- Click the “Select…” button.
- Choose the Certificates you wish to export from the list, then click the “OK” button.
- In the “Filename” field, type a filename for your exported certificate.
- To protect your exported certificates, enter a password and confirm.
- Click the “OK” button again.
- You will need to enter the password for your certificate
at this time and click “OK” (do not check the
“Remember password” checkbox – this will defeat the
“High” level of security on your certificate).
- Click the “OK” button.
Microsoft Outlook Express (Microsoft Office 2003)
Once you've imported a certificate into your IE
browser, Outlook Express can access it from the same store, so there's
no need to import it. There's also no need to export it from Outlook
Express since you can export it from IE. See instructions for IE. Note: Outlook Express is not recommended since it's been superseded by Outlook.
Macintosh Applications (Tiger) and Keychain Files
Macintosh handles certificates (and other
sensitive information) using keychain files. Certificates are handled
properly starting with the Tiger release (Panther doesn't work.) There
is information about keychain files from the standard Macintosh help
files. Briefly, certificates go in protected keychain files, the
browser and email applications access the certificates via these files.
We recommend that you create a new keychain file to handle your PKI
certificate(s). To do so:
- Make sure you have your certificate (and its CA and root
CA certificates) available to the system (e.g., on removable media or
on a protected area of the hard drive).
- Go to Applications -> Utilities -> Keychain Access.
- Select File -> New Keychain.
- Type the keychain file name and choose a location for it, then click Create.
- Give it a password, and remember the password!
- Go to Window -> Keychain List.
- Click Add.
- In the Keychain Access window, first select the keychain file called X509Anchor.
- Select File > Import, and import all the CA
certificates (e.g., in the case of DOEGrids, the DOEGrid CA and ESnet
root CA certificates). You will need to use your login password to
access the X509Anchor keychain file.
- Next select your new keychain file.
- Select File > Import, and import your personal
certificates. You will need to use the original export password to get
the certificate, and your password for the new keychain file to put it
into this keychain file.
If you have only one certificate, and you only plan to use
Macintosh-native applications with your certificate (Safari and Mac
mail), you're done. These applications will find the certificate as
needed.
If you want to use a non-native application (e.g., Firefox, Eudora), and/or you have multiple certificates (DOEGrids and KCA (note: KCA not yet working on Mac, Dec 05)),
then you need to setup Access Control for your keychain file. Note that
in the keychain file, you may not be able to distinguish one key from
another (e.g., which one corresponds to DOEGrids and which to KCA) --
make a note of each one as you enter it, so that you'll be able to tell
it from the next that you enter.
- In the Keychain Access window, select the keychain file that contains your certificate(s).
- Select Key in the Categories panel.
- Double-click your key file (it should be listed in the main panel).
- Select Access Control.
- Click the plus sign (+) to add an application to the access control list.
- Browse for the application, and click Open.
Safari
Safari v2.0.2 consults the keychain files on your
Mac for a certificate by default. Once you have your certificate and
private key in a keychain file, your certificate should automatically
be presented to restricted websites as needed. The first time you use
it, Safari will prompt you to find out if you want to use the found
certificate just this once or always. The prompt will occur each time
until or unless you click"Always".
If you have multiple certificates in your keychain
file, you'll need to set the access control on your keychain such that
Safari knows which one to use.
Mail (Mac)
The native Mac email client (Mail) consults the
keychain files on your Mac for a certificate by default. Once you have
your certificate and private key in a keychain file, Mail can access
it. When you compose a new message, you will see the icons for
encrypting (a lock) and signing (a check if enabled, an X if not) on
the right-hand side of the message window. The signing icon should
always be available to you; the encrypting icon is greyed out unless
your correspondent has already sent you a signed email and your system
has stored his certificate and public key.
If you have multiple certificates in your
keychain file, you'll need to set the access control on your keychain
such that Mail knows which one to use.
Export from Eudora (Mac)
Download CA certificates for import into applications
Copies of the CA certificates for ESnet, DOEGrids, and the KCA are available from either the Trusting Certificates and CA Certificate Downloads or the CA Certificates document in the Computing Division's DocDB.
From a browser into which you want to import them, download them all.
Different applications may need different combinations of these files.
- (Done in Firefox 1.5.0.7 on Win XP for documentation purposes; your browser may differ slightly.)
- From the DocDB page, select a file. For DOEGrids, you need ESnet_Root_CA.cer and DOE-CA-64.cer.
- To import directly into your browser, left click on each
(one at a time). A "Downloading Certificate" dialog box appears and
asks "Do you want to trust <name> for the following purposes?".
Click all three boxes. View if you like, then click OK. The certificate
will appear in your browser's CA list (under Authorities or similar tab).
- You cannot export these files from a browser; if you'll
need to import them to other applications, eith repeat the above steps
for each application, or instead of importing them directly as we've
just done, right-click the files and save them to disk for later
importation.
- For Fermilab KCA, save Fermilab_KCA_Certificate to disk
(right click and choose "Save link as...", and give a destination), and
import it into your browser.
|
