How to import a device certificate in Windows Server 2019

In this article, we will demonstrate how to import a certificate for your server running Windows 2019 Server. Such certificate can be used later for the different purposes. This newly imported certificate will be used to identify our server during any secured communication.

Let’s begin!It is very important to place each certificate in the proper store, either for the current user or local machine. The appropriate place depends on the usage scenario. Otherwise, such certificate can be invisible for your application or service.

A word of caution. Check your local laws and regulations relating to security, cryptography, etc. In some countries, using the OpenSSL package, certificates or cryptography can be against the law. In such case, you must stop reading this article and you should not follow any instruction mentioned here. It is solely within your responsibility.

There are similarities with the import process for the Root CA certificate, yet we have here the different certificate format and process. The Root CA certificate is always the single file in the PEM (or sometimes DER) format. You can open it with Notepad or any other text editor. Additionally, you can import it directly on your machine.

In the other hand, the device certificate for the Windows machine must be provided in the PFX format (a.k.a. PKCS#12 format). That format is actually a container that encapsulates all certificates in the chain and also provides the private key for the device’s certificate.

This is the significant difference between MikroTik RouterOS and other OSes, Windows in this case. In RouterOS, you can import the key independently to the certificate, yet Windows (but also Android or Apple iOS) requires all those files to be encapsulated in the single container. Bear in mind that specific software (like FileZilla Server or hMail server) still can be programmed to use separate certificate and key files, similar to many Linux based applications (for instance, the Apache Web server).

Importing the certificate

I will assume that you already have the device’s certificate in PFX format on your machine. Additionally, you should have the administrative access to your computer. In case that you need the certificate, please follow instructions from my previous posts.

  1. We need to download the device certificate as the PFX file (here named somewhere on our machine. I placed mine on the desktop, yet any folder will be fine.
  2. Right-click on that file and choose the option named Install PFX:
  3. The Import Certificate Wizard will start. We will choose here the option named Local Machine.
    Bear in mind that the correct store location depends on the intended usage scenario.
    If you need such certificate to confirm the identity of any Web server from your browser, then you need to place it in your User store. Yup, you need to install it for each User independently.
    For VPNs and other services running on the machine level, you will need the Local Machine store.
  4. The next step is to choose (or confirm) the source file which we will use in this process. As the correct file is already selected, we will just click on [ Next ].
  5. Here’s the first difference. The PFX file is password protected and you need to specify it. Otherwise, you can’t use that certificate.
    The password will be hidden, although you can reveal it if you need so. When you enter the password, just click on [ Next ].
    In case that you provide the incorrect password, you will be stopped here.
  6. On the next screen, we need to choose where Wizard will place this certificate. Always choose the selected option named Automatically select the certificate store based on the type of certificate
    If you compare this process with the other one for the Root CA certificate, you will see that this step is opposite. As I already explained, the PFX file is actually container with the device’s certificate and corresponding private key, the Root CA certificate and each Subordinate CA certificate, if they exist.
  7. The final window will appear, where you can overview once more all choices. When you’re happy, click on the button [ Finish ].
  8. After a few seconds, the pop up message will appear on the screen. Our certificate is imported.
  9. Now, click on the button [ OK ] and close this dialog window.

Congratulations! Our certificates are ready to be used.

Checking certificates with the GUI tool

We can open the Certificate Manager GUI to find our new certificate inside the Personal certificates:

Only those certificates enlisted here can be used for the different services, like a VPN, Web or SMTP server. Please, pay attention on the column named Issued By. There is the name of the Certificate Authority which issued this certificate.

Therefore, we also need the Root CA certificate and it’s must be enlisted under the Trusted Root Certificates:


I’m happy! All certificates are in place. We can now progress to the next step – to use this certificate with any service we need, like SSTP VPN or TLS in the IIS SMTP service.

Stay tuned.


One thought on “How to import a device certificate in Windows Server 2019

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.