How to import an internal Root CA created with Microsoft Certificate services

how to create root certificate

Problem Description

How do I import an internal Root CA that was created with Microsoft Certificate services?


Although, the steps listed here are to import an existing internal Root CA, it is recommended to use a subCA.  Steps for this can be found in the attached document or by clicking here .

1. Log on to the Domain Controller that has the target Certificate Authority installed.

2. Open the Certificate Authority MMC (run certsrv.msc ).

3. Right-click the CA name in the tree ("Demo" in the example), and select All Tasks > Back up CA .

The Certification Authority Backup Wizard starts.

4. On the Items to Back Up page, select Private key and CA certificate. enter a location in which to save the file, and click Next .

5. On the Select a Password page, enter a password and confirm it. This password will be required when processing and importing the key into Websense Content Gateway.

6. Click Next and then Finish. When the process is complete, you will have a CA_name.p12 file in the folder you specified. This file contains both the public key and private key for the certificate.

7. Next, using OpenSSL export the private key and certificate from the .p12 file.

- If OpenSSL is not installed on the system, you can download OpenSSL for Windows from by clicking here .  To find out more about OpenSSL, click here


NOTE:  The correct version of OpenSSL must be used, based on the Websense version:

Websense Content Gateway 7.7 and prior use OpenSSL 0.9.8

Websense Content Gateway 7.8 and beyond uses OpenSSL 1.0.1e

- 7.8.4 and beyond can be updated to OpenSSL 1.0.1m with hotfix patches

8. Copy the .p12 file to C:\OpenSSL\bin and then open a command prompt to the same location.

C:\OpenSSL\bin> openssl pkcs12 -in filename.p12 -clcerts -nokeys -out cert.cer

10. The newly created private key file and certificate file must be edited to remove unwanted header information. Edit the files with a text editor such as Notepad or WordPad.

a. Open the key .cer file and remove all header information that precedes:


NOTE:  Some keys may also include additional information at the end of the file.  Remove all data that follows the first:


b. Open the certificate .cer file and remove all header information that precedes:


NOTE:  Some certificates may also include additional information at the end of the file.  Remove all data that follows the first:

11. Now the files are ready to be imported into Websense Content Gateway. Log on to Content Manager and go to Configure > SSL > Internal Root CA > Import Root CA.

a. Browse to select the certificate file.

d. Click Import Root CA .


Category: Insurance

Similar articles: