Automatically update the Trusted Root Certification Authorities certificate store on Windows computers that do not have direct access to the Internet. Cannot build certificate chain for trusted root authority How to add a root certificate


Certificates that are used in the operation of the Kontur Extern system can be added or deleted using the console mmc from the following repositories:

  • Other users(repository of certificates of regulatory authorities)
  • Trusted Root Certification Authorities And Intermediate CAs(certificate stores Certification Center).

Installation of personal certificates is carried out only using the Crypto Pro program.

To launch the console you must do the following:

1. Select menu Start/ Execute(or on the keyboard press the keys simultaneously Win+R).

2. Specify the command mmc and press the button OK.

3. Select menu File/ Add or remove a snap-in(see Fig. 1).

Rice. 1. Console window

4. Select equipment from the list Certificates and click on the button Add(see Fig. 2).

Rice. 2. Adding equipment

5. In the window that opens, set the switch my account user and press the button Ready(see Fig. 3).

Rice. 3. Certificate Manager snap-in

6. Select the added equipment from the list on the right and click on the button OK(see Fig. 4).

Rice. 4. Selecting added equipment


Installing certificates

1. Open the required repository (for example, Trusted Root Certification Authorities). To do this, open the thread Certificates - Current User / Trusted Root Certification Authorities / Certificates(see Fig. 5).

Rice. 5. Console window

2. Select menu Action/ All tasks / Import(see Fig. 6).

Rice. 6. Menu “All tasks / Import”

3. In the window that opens, click on the button Further.

4. Next, click on the button Review and specify the certificate file to import (root certificates Certification Center can be downloaded from the site Certification center, certificates of regulatory authorities are located on the website of the Kontur-Extern system). After selecting the certificate, you must click on the button Open(see Fig. 7), and then click on the button Further.

Rice. 7. Selecting a certificate to import

5. In the next window you need to click on the button Further(the required storage is selected automatically). See fig. 8.

Rice. 8. Selection of storage

6. Press the button Ready to complete the import (see Figure 9).

Rice. 9. Completing the certificate import


Removing certificates

To remove certificates using the console mmc(for example, from the Other Users storage), you must do the following:

Expand thread Certificates - current user / Other users / Certificates. All certificates installed in the store will be displayed on the right side of the window. Other users. Highlight required certificate, right-click on it and select Delete(see Fig. 10).

Rice. 10. Console window

Good afternoon, dear readers of the blog site, over the course of this month I have been asked several times e-mail, where certificates are stored in Windows systems, below I will tell you in detail about this issue, consider the structure of the storage, how to find certificates and where you can use it in practice, this will be especially interesting for those people who often use digital signatures (electronically digital signature)

Why do you need to know where certificates are stored in Windows?

Let me give you the main reasons why you would want to have this knowledge:

  • You need to view or install the root certificate
  • You need to view or install personal certificate
  • Curiosity

Earlier I told you what certificates there are and where you can get and apply them, I advise you to read this article, since the information contained in it is fundamental in this topic.

In all operating systems starting from Windows Vista and up to Windows 10 Redstone 2, certificates are stored in one place, a kind of container that is divided into two parts, one for the user and the other for the computer.

In most cases, in Windows you can change certain settings through the mmc snap-in, and the certificate store is no exception. And so press the key combination WIN + R and execute in the window that opens, write mmc.

Of course, you can enter the command certmgr.msc, but this way you can only open personal certificates

Now in an empty mmc snap-in, you click the File menu and select Add or remove snap-in (keyboard shortcut CTRL+M)

In the Adding and removing snap-ins window, in the Available snap-ins field, look for Certificates and click the Add button.

Here in the certificate manager, you can add snap-ins for:

  • my user account
  • service account
  • computer account

I usually add for the user account

and computer

The computer has additional settings, it is either a local computer or a remote one (on the network), select the current one and click done.

In the end I got this picture.

Let’s immediately save the created equipment so that we don’t have to do these steps next time. Go to the menu File > Save As.

Set the save location and that’s it.

As you see the certificate storage console, in my example I show you on Windows 10 Redstone, I assure you the window interface is the same everywhere. As I previously wrote here there are two areas Certificates - current user and Certificates (local computer)

Certificates - current user

This area contains the following folders:

  1. Personal > this includes personal certificates (public or private keys) that you install from various roottokens or etoken
  2. Trusted Root Certification Authorities > These are the certificates of certification authorities, by trusting them you automatically trust all the certificates issued by them, they are needed to automatically verify most of the certificates in the world. This list is used in chains of building trust relationships between CAs; it is updated in place with Windows updates.
  3. Trust relationships in the enterprise
  4. Intermediate CAs
  5. Active Directory User Object
  6. Trusted Publishers
  7. Certificates that are not trusted
  8. Third Party Root Certificate Authorities
  9. Trustees
  10. Client Authentication Certificate Providers
  11. Local Non-Removable Certificates
  12. Smart Card Trusted Root Certificates

The personal folder contains no certificates by default unless you have installed them. Installation can be either from a token or by requesting or importing a certificate.

  • PKCS#12 (.PFX, .P12)
  • Cryprograhic Message Syntax Standard - PKCS #7 (.p7b) certificates
  • Serialized Certificate Store (.SST)

On the Trusted Certification Authorities tab, you will see an impressive list of root certificates from the largest publishers, thanks to them your browser trusts most of the certificates on sites, since if you trust the root, it means everyone to whom it is issued.

By double clicking you can view the contents of the certificate.

Of the actions, you can only export them, so that you can later reinstall them on another computer.

Export is carried out in the most common formats.

Another interesting thing would be the list of certificates that have already been revoked or have been leaked.

To install certificates, you need to connect a USB flash drive with an electronic signature, open it and install the certificates

1. Install the certificate of the head certification authority into the trusted root authorities, for this you need to:

1.1. Double-click on the certificate of the head CA - the file “Head Certification Authority.cer”.

1.2. In the form that opens, click the “Install certificate...” button.

1.3. Select “Place all certificates in the following store” (check the box before the inscription) and click the “Browse” button.


1.4. In the list that opens, select “Trusted Root Certification Authorities” and click “OK”.

2. Install a personal certificate

Installation of a personal certificate is carried out using the CryptoPro CSP program
2.1. You need to launch the CryptoPro CSP program (Start button -> CryptoPro CSP or Start button -> All programs -> CRYPTO-PRO -> CryptoPro CSP).

2.2. In the window that opens, select the “Service” tab and click the “Install personal certificate...” button.

2.3. In the window that opens, you need to click the “Browse” button, select the organization’s certificate on the flash drive - the 2nd file with the extension “cer” (not the CA certificate file (in the example - “adicom.cer”)) and click “Next”.




2.4. In the form that opens, click “Next”


2.5. In the form that opens, click the “Find container automatically” checkbox. As a result, the “Name of the key container” will be filled in and click “Next”


2.6. In the form that opens, click “Next”


2.7. In the form that opens, click “Finish”


Everything necessary for generating electronic signature Software – you can sign printed forms.

3. Install the extension (add-on) CryptoPro Extension for Cades Browser Plug-in in the browser

To install the browser extension (add-on) CryptoPro Extension for Cades Browser Plugin, open the extension store in your browser and search for extensions using the word Cades / For Yandex.Browser link -

Installing self-signed certificates is a very common task for a system administrator. Usually this is done manually, but what if there are dozens of machines? And what to do when reinstalling the system or buying a new PC, because there may be more than one certificate. Write cheat sheets? Why, when there is a much simpler and more convenient way - ActiveDirectory group policies. Once you configure the policy, you no longer have to worry about whether users have the necessary certificates.

Today we will look at the distribution of certificates using the example root certificate Zimbra, which we exported to . Our task will be as follows - to automatically distribute the certificate to all computers included in the unit (OU) - Office. This will allow you to avoid installing the certificate where it is not needed: in the north, warehouse and cash workstations, etc.

Let's open the snap-in and create a new policy in the container Group Policy Objects, to do this, right-click on the container and select Create. The policy allows you to install one or several certificates at the same time. What to do is up to you, but we prefer to create our own policy for each certificate, this allows us to change the rules for their use more flexibly. You should also give the policy a clear name so that when you open the console six months later, you don’t have to painfully remember what it is for.

Then drag the policy onto the container Office, which will allow it to be applied to this unit.

Now let's right-click on the policy and select Change. In the Group Policy Editor that opens, we sequentially expand Computer configuration - Windows Configuration - Security Settings - Politicians public key - . In the right part of the window, in the menu with the right mouse button, select Import and import the certificate.

The policy has been created, now is the time to check that it is being applied correctly. In the snap Group Policy Management let's choose Group Policy Simulation and run it by right click Simulation Wizard.

Most of the settings can be left as default, the only thing you need to specify is the user and computer for which you want to check the policy.

After performing the simulation, we can verify that the policy is successfully applied to the specified computer, in otherwise expand the item Rejected objects and look at the reason why the policy turned out to be inapplicable to to this user or computer.

Then we will check the operation of the policy on the client PC; to do this, we will update the policies manually with the command:

Gpupdate

Now let's open the certificate store. The easiest way to do this is through Internet Explorer: Internet Options -Content -Certificates. Our certificate must be present in the container Trusted Root Certification Authorities.

As you can see, everything works and the administrator has one less headache, the certificate will be automatically distributed to all computers placed in the department Office. If necessary, you can set more complex conditions for applying the policy, but this is beyond the scope of this article.

When completing documents or registering an organization, users encounter an error - “It is not possible to build a chain of certificates for a trusted root center" If you try again, the error appears again. What to do in this situation, read further in the article.

Causes of errors in the certificate chain

Errors can occur for various reasons - problems with the Internet on the client side, blocking software Windows Defender or other antiviruses. Further, the lack of a root certificate of the Certification Authority, problems in the cryptographic signature process, and others.

Fixing an error when creating a certificate chain creation for a trusted root authority

First of all, make sure that you do not have problems with your Internet connection. The error may appear if there is no access. The network cable must be connected to the computer or router.

  1. Click the "Start" button and search for "Command Prompt."
  2. Select it with the right mouse button and click “Run as administrator”.
  3. Enter the following command in the DOS window “ping google.ru”.

When the Internet is connected, you should see data on sent packets, transmission speed and other information. If there is no Internet, you will see that the packets did not reach their destination.

Now let's check the presence of the root certificate of the Certification Authority. For this:


If there is no certificate, you need to download it. In most cases, it is located in the root certificates and the user only needs to install it. It is also worth remembering that it is best to use the Internet Explorer browser so that fewer errors and failures occur during the work process. Try to find the CA in the root certificates, after that all you have to do is click the “Install” button, restart your browser, and you will solve the problem with the error - “Cannot build a certificate chain for the trusted root authority.”

Checking the CA root certificate in the browser

The test can be performed in a browser.

  1. Select “Service” from the menu.
  2. Next, click the “Internet Options” line.
  3. Click on the Contents tab.
  4. Here you need to select “Certificates”.
  5. Next tab " Trusted centers certification." There should be a CA root certificate here, usually it is at the bottom of the list.

Now try again the steps that caused the error. To obtain a root certificate, you must contact the appropriate center where you received the UPC ES.

Other ways to fix certificate chain error

Let's look at how to properly download, install and use CryptoPro. To make sure that the program is not installed on your PC (if there are several users on the computer), you need to open the Start menu. Then select “Programs” and look for “CryptoPro” in the list. If it doesn't exist, we'll install it. You can download the program from the link https://www.cryptopro.ru/downloads. Here you need “CryptoPro CSP” - select the version.

In the next window you should see a pre-registration message.

Installation of CryptoPro

Once the installation file is downloaded, you need to run it to install it on your computer. The system will display a warning that the program is asking for permission to change files on the PC, allow it to do so.

Before installing the program on your computer, all your tokens must be extracted. The browser must be configured to work, the exception is Opera browser, all default settings are already made in it. The only thing that remains for the user is to activate a special plugin for work. During the process, you will see a corresponding window where Opera offers to activate this plugin.

After starting the program, you will need to enter the key in the window.

You can find the program to launch in the following path: “Start”, “All programs”, “CryptoPro”, “CryptoPro CSP”. In the window that opens, click the “Enter license” button and enter the key in the last column. Ready. Now the program needs to be configured accordingly to suit your needs. In some cases, additional utilities are used for electronic signatures - CryptoPro Office Signature and CryptoAKM. You can fix the error - it is not possible to build a chain of certificates for a trusted root center - by simply reinstalling CryptoPro. Try this if other tips don't help.

Is the error still appearing? Send a request to the support service, in which you need to post screenshots of your sequential actions and explain your situation in detail.