How-To: Trust a Root Certificate in Windows and macOS

As mentioned in the CA overview for a CA to be trusted by an organization it has to be added to the trusted root store of all their devices. follow these steps to trust a new root CA.

Overview - How To Install a Root CA in Windows

As mentioned in the CA Overview for a CA to be trusted by an organization it has to be added to the trusted root store of all their devices. This guide will guide you on how to install it in Windows Certificate Root Store.

Getting the Root CA Certificate from EZCA

  1. Go to https://portal.ezca.io/
  2. Navigate to Certificate Authorities. EZCA Cloud PKI Certificate Authorities dashboard showing active CAs with pie charts for status and key type
  3. Click the “View Details” button for the CA you want to download the certificate from. EZCA Cloud PKI My CAs list showing multiple certificate authorities with View Details button highlighted
  4. Click the “Download Certificate” button for the location that you want to download the certificate from. EZCA Cloud PKI internalRootCA Details page showing CA Locations section with Download Certificate button highlighted

Installing Certificate Through Intune

Usually MDM solutions is the preferred way IT Admins install internal Root CAs as a trusted authority in all of the corporate devices. To do this in Microsoft Intune, follow this guide

How To Trust The Root Certificate In Windows

How To Trust a Root CA in Windows - Video Version

In Windows, Root CAs can be added in two different stores: The User store (Only for the current user), The Local Store (For all users, Require Administrator Permissions)

Installing The Root CA Certificate In The User Store

  1. Search in the Windows search bar for “Manage user certificate”. Windows search bar showing Manage user certificates Control Panel application result
  2. Click on the application.
  3. Select the “Trusted Root Certificate Authorities” folder. Windows Certificate Manager showing Trusted Root Certification Authorities folder highlighted in left navigation tree
  4. Select the “Certificates” folder. Windows Certificate Manager showing Certificates subfolder expanded under Trusted Root Certification Authorities
  5. Right Click on any whitespace.
  6. Select All Tasks -> Import. Windows Certificate Manager right-click context menu showing All Tasks then Import option
  7. Click “Next” on the first page of the wizard.
  8. Click the “Browse…” button Certificate Import Wizard file selection dialog with Browse button highlighted
  9. Select The Root certificate you are trying to import.
  10. Click “Next”
  11. Click “Next” Certificate Import Wizard Certificate Store step showing Trusted Root Certification Authorities store selected
  12. Click “Finish”, now certificates issued by this CA will be trusted by your user. Certificate Import Wizard completion page showing summary of certificate import settings with Finish button

Installing In The Local Store

  1. Search in the Windows search bar for “Manage computer certificate”. Windows search bar showing Manage computer certificates Control Panel application result
  2. Click on the application.
  3. Select the “Trusted Root Certificate Authorities” folder. Windows Certificate Manager showing Trusted Root Certification Authorities folder highlighted in left navigation tree
  4. Select the “Certificates” folder. Windows Certificate Manager showing Certificates subfolder expanded under Trusted Root Certification Authorities
  5. Right Click on any whitespace.
  6. Select All Tasks -> Import. Windows Certificate Manager right-click context menu showing All Tasks then Import option
  7. Click “Next” on the first page of the wizard.
  8. Click the “Browse…” button Certificate Import Wizard file selection dialog with Browse button highlighted
  9. Select The Root Certificate you are trying to import.
  10. Click “Next”
  11. Click “Next” Certificate Import Wizard Certificate Store step showing Trusted Root Certification Authorities store selected
  12. Click “Finish”, now certificates issued by this CA will be trusted by all users on this machine. Certificate Import Wizard completion page showing summary of certificate import settings with Finish button

Installing Root Certificate In MacOS

  1. Search and open “Keychain Access”. macOS Keychain Access application showing System Roots keychain with list of certificates
  2. On the left menu click on System. macOS Keychain Access with System keychain selected in left sidebar showing certificates list
  3. On the top menu click File -> Import Items.
  4. Select the Certificate you want to import. macOS file picker dialog showing internalRootCA.cer certificate file selected for import
  5. Enter your Admin Password
  6. This will add the certificate but it will not be trusted by the system. macOS Keychain Access System keychain showing newly imported internalRootCA certificate highlighted in list
  7. double click the certificate in the certificate list.
  8. A window with the certificate details will be opened. macOS certificate details popup showing internalRootCA certificate information and subject fields
  9. Expand the Trust menu. macOS certificate details popup showing Trust section expanded with Use System Defaults options for each policy
  10. Change the “When using this certificate:” to “Always trust” macOS certificate Trust settings with When using this certificate set to Always Trust highlighted
  11. Close the window with the certificate details.
  12. Enter your Admin Password
  13. Your Certificate is now trusted (You might have to reboot for all changes to take effect) macOS Keychain Access showing internalRootCA certificate now trusted in System keychain