Installing the trusted root certificate

Applies to: Lync Server 2013 | Skype for Business 2015

Installing a trusted root certificate is necessary only if you are notified that the certificate of authority is not trusted on any machine. This can occur when you use a private or custom certificate server instead of acquiring certificates from an established public certificate of authority.

Installing a trusted root certificate

On the machine that requires a certificate, in your web browser, navigate to your local certification server. This should be the same certificate of authority used for generating the server and, optionally, client certificates.

Choose Download a CA certificate, certificate chain, or CRL link, as needed.

Select the appropriate certificate of authority from the list and choose the Base 64 Encoding method.

Choose the Download CA certificate link and then choose Open option when prompted to open or save the certificate.

When the certificate window opens, choose Install Certificate…. The Certificate Import wizard appears.

In the wizard, choose Next. Then, when you are prompted for the Certificate Store, choose Place all certificates in the following store. Select the Trusted Root Certification Authorities store.

Complete the remaining steps of the wizard and click Finish.

Upon completing the wizard, you next want to add the certificate snap-ins using the Microsoft Management Console (MMC).

Adding certificate snap-ins

Launch MMC (mmc.exe).

Choose File > Add/Remove Snap-ins.

Choose Certificates, then choose Add.

Choose My user account.

Choose Add again and this time select Computer Account.

Move the new certificate from the Certificates-Current User > Trusted Root Certification Authorities into Certificates (Local Computer) > Trusted Root Certification Authorities.

How to install imported certificates on a Web server in Windows Server 2003

This article describes how to import a Web site certificate into the certificate store of the local computer and assign the certificate to the Web site.

Original product version: В Windows Server 2003
Original KB number: В 816794

Install the Certificates

The Windows 2003 Internet Information Server (IIS) 6.0 supports Secure Sockets Layer (SSL) communications. A whole Web site, a folder on the Web site, or a particular file that is located in a folder on the site can require a secure SSL connection. However, before the Web server can support SSL sessions, a Web site certificate must be installed.
You can use one of the following methods to install a certificate in IIS 6.0:

• Make an online request by using the IIS Web Server Certificate Wizard and install the certificate at the time of the request.
• Make an offline request by using the IIS Web Server Certificate Wizard and obtain and install the certificate later.
• Request a certificate without using the IIS Web Server Certificate Wizard.

If you use the second or third method, you must install the certificate manually.

To install the Web site certificate, you must complete the following tasks:

• Import the certificate into the computer’s certificate store.
• Assign the installed certificate to the Web site.

Import the certificate into the local computer store

To import the certificate into the local computer store, follow these steps:

1. On the IIS 6.0 Web server, select Start, and then select Run.
2. In the Open box, type mmc, and then select OK.
3. On the File menu, select Add/Remove snap-in.
4. In the Add/Remove Snap-in dialog box, select Add.
5. In the Add Standalone Snap-in dialog box, select Certificates, and then select Add.
6. In the Certificates snap-in dialog box, select Computer account, and then select Next.
7. In the Select Computer dialog box, select Local computer: (the computer this console is running on), and then select Finish.
8. In the Add Standalone Snap-in dialog box, select Close.
9. In the Add/Remove Snap-in dialog box, select OK.
10. In the left pane of the console, double-click Certificates (Local Computer).
11. Right-click Personal, point to All Tasks, and then select Import.
12. On the Welcome to the Certificate Import Wizard page, select Next.
13. On the File to Import page, select Browse, locate your certificate file, and then select Next.
14. If the certificate has a password, type the password on the Password page, and then select Next.
15. On the Certificate Store page, select Place all certificates in the following store, and then select Next.
16. Select Finish, and then select OK to confirm that the import was successful.

Assign the Imported Certificate to the Web Site

1. Select Start, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.
2. In the left pane, select your server.
3. In the right pane, double-click Web Sites.
4. In the right pane, right-click the Web site you want to assign the certificate to, and then select Properties.
5. Select Directory Security, and then select Server Certificate.
6. On the Welcome to the Web Certificate Wizard page, select Next.
7. On the Server Certificate page, select Assign an existing certificate, and then select Next.
8. On the Available Certificates page, select the installed certificate you want to assign to this Web site, and then select Next.
9. On the SSL Port page, configure the SSL port number. The default port of 443 is appropriate for most situations.
10. Select Next.
11. On the Certificate Summary page, review the information about the certificate, and then select Next.
12. On the Completing the Web Server Certificate Wizard page, select Finish, and then select OK.

You can now configure Web site elements to use secure communications.

Installing Test Certificates

To successfully install a test-signed driver package on a test computer, the computer must be able to verify the signature. To do that, the test computer must have the certificate for the certificate authority (CA) that issued the package’s test certificate installed in the computer’s Trusted Root Certification Authorities certificate store

The CA certificate must be added to the Trusted Root Certification Authorities certificate store only once. Once added, it can then be used to verify the signature of all drivers or driver packages, which were digitally signed with the certificate, before the driver package is installed on the computer.

The simplest way to add a test certificate to the Trusted Root Certification Authorities certificate store is through the CertMgr tool. This topic will describe the procedure for installing the test certificate, Contoso.com(test). This certificate is stored within the ContosoTest.cer file. For more information about how this certificate was created, see Creating Test Certificates.

The following command-line uses Certmgr.exe to install, or add, the Contoso.com(test) certificate to the test computer’s Trusted Root Certification Authorities certificate store:

The /add option specifies that the certificate in the ContosoTest.cer file is to be added to the specified certificate store.

The /s option specifies that the certificate is to be added to a system store.

The /r option specifies the system store location, which is either currentUser or localMachine.

Root specifies the name of the destination store for the local computer, which is either root to specify the Trusted Root Certification Authorities certificate store or trustedpublisher to specify the Trusted Publishers certificate store.

A successful run produces the following output:

After the certificate is copied to the Trusted Root Certification Authorities certificate store (the local machine’s root store, not the user store), you can view it through the Microsoft Management Console (MMC) Certificates snap-in, as described in Viewing Test Certificates.

The following screenshot shows the Contoso.com(Test) certificate in the Trusted Root Certification Authorities certificate store.

You can also view the certificate at the command prompt:

Or, from PowerShell:

The Certmgr.exe tool is part of the Windows SDK and is typically installed to C:\Program Files (x86)\Windows Kits\10\bin\ \x86\certmgr.exe .

For more information about CertMgr and its command-line arguments, see CertMgr.

For more information about how to install test certificates, see Installing a Test Certificate on a Test Computer.

Install certificates required for Visual Studio offline installation

Visual Studio is primarily designed to be installed on an internet-connected machine, since many components are updated regularly. However, with some extra steps, it’s possible to deploy Visual Studio in an environment where a working internet connection is unavailable.

The Visual Studio setup engine installs only content that is trusted. It does this by checking Authenticode signatures of the content being downloaded and verifying that all content is trusted before installing it. This keeps your environment safe from attacks where the download location is compromised. Visual Studio setup therefore requires that several standard Microsoft root and intermediate certificates are installed and up-to-date on a user’s machine. If the machine has been kept up to date with Windows Update, signing certificates usually are up to date. If the machine is connected to the internet, during installation Visual Studio may refresh certificates as necessary to verify file signatures. If the machine is offline, the certificates must be refreshed another way.

How to refresh certificates when offline

There are three options for installing or updating certificates in an offline environment.

Option 1 — Manually install certificates from a layout folder

When you create a network layout or a local offline cache, the necessary certificates are downloaded to the Certificates folder. You can then manually install the certificates by double-clicking each of the certificate files, and then clicking through the Certificate Manager wizard. If asked for a password, leave it blank.

Update: For Visual Studio 2017 version 15.8 Preview 2 or later, you can manually install the certificates by right-clicking each of the certificate files, selecting Install Certificate, and then clicking through the Certificate Manager wizard.

When you create a network layout or a local offline cache, the necessary certificates are downloaded to the Certificates folder. You can manually install the certificates by right-clicking each of the certificate files, selecting Install Certificate, and then clicking through the Certificate Manager wizard. If asked for a password, leave it blank.

Option 2 — Distribute trusted root certificates in an enterprise environment

For enterprises with offline machines that do not have the latest root certificates, an administrator can use the instructions on the Configure Trusted Roots and Disallowed Certificates page to update them.

Option 3 — Install certificates as part of a scripted deployment of Visual Studio

If you are scripting the deployment of Visual Studio in an offline environment to client workstations, you should follow these steps:

Copy the Certificate Manager Tool (certmgr.exe) to the network layout or local cache installation location. Certmgr.exe is not included as part of Windows itself, but is available as part of the Windows SDK.

Create a batch file with the following commands:

Alternatively, create a batch file that uses certutil.exe, which ships with Windows, with the following commands:

Deploy the batch file to the client. This command should be run from an elevated process.

What are the certificates files in the Certificates folder?

• manifestRootCertificate.cer contains:
  • Root certificate: Microsoft Root Certificate Authority 2011
• manifestCounterSignRootCertificate.cer and vs_installer_opc.RootCertificate.cer contain:
  • Root certificate: Microsoft Root Certificate Authority 2010

The Visual Studio Installer requires only the root certificates to be installed on the system. All of these certificates are required for Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.

Why are the certificates from the Certificates folder not installed automatically?

When a signature is verified in an online environment, Windows APIs are used to download and add the certificates to the system. Verification that the certificate is trusted and allowed via administrative settings occurs during this process. This verification process cannot occur in most offline environments. Installing the certificates manually allows enterprise administrators to ensure the certificates are trusted and meet the security policy of their organization.

Checking if certificates are already installed

One way to check on the installing system is to follow these steps:

Run mmc.exe.
a. Click File, and then select Add/Remove Snap-in.
b. Double-click Certificates, select Computer account, and then click Next.
c. Select Local computer, click Finish, and then click OK.
d. Expand Certificates (Local Computer).
e. Expand Trusted Root Certification Authorities, and then select Certificates.

• Check this list for the necessary root certificates.

f. Expand Intermediate Certification Authorities, and then select Certificates.

• Check this list for the required intermediate certificates.

Click File, and then select Add/Remove Snap-in.
a. Double-click Certificates, select My user account, click Finish, and then click OK.
b. Expand Certificates – Current User.
c. Expand Intermediate Certification Authorities, and then select Certificates.

• Check this list for the required intermediate certificates.

If the certificates names were not in the Issued To columns, they must be installed. If an intermediate certificate was only in the Current User Intermediate Certificate store, then it is available only to the user that is logged in. You might need to install it for other users.

Install Visual Studio

After you install the certificates on the client machine, then you are ready to install Visual Studio from the local cache, or deploy Visual Studio from the network layout share to the client machine.

Get support

Sometimes, things can go wrong. If your Visual Studio installation fails, see Troubleshoot Visual Studio installation and upgrade issues for step-by-step guidance.

We also offer an installation chat (English only) support option for installation-related issues.

Here are a few more support options:

• Report product issues to us via the Report a Problem tool that appears both in the Visual Studio Installer and in the Visual Studio IDE.
• Suggest a feature, track product issues, and find answers in the Visual Studio Developer Community.
• Use your GitHub account to talk to us and other Visual Studio developers in the Visual Studio conversation in the Gitter community.