Didier Stevens

Sunday 31 October 2010

Quickpost: Adding Certificates to the Certificate Store

Filed under: Encryption,Quickpost — Didier Stevens @ 13:31

A couple of people asked me how to get self-signed certificates recognized by Windows.

For example, when you check the digital signature of one of my programs (like ariad.exe), you’ll see this:

The digital signature is valid, but the root certificate used in the signature is not trusted. This is because this root certificate is not installed in the repository of trusted root certificates. I’ll show you how to achieve this, but understand that by installing a new root certificate, you automatically trust all signatures and subordinate certificates issued by this root certificate authority.

The first 2 methods I’ll present add the new root certificate to your own certificate repository (i.e. the one associated with your account). This means that under other user accounts, the new root certificate will not be trusted. The third method explains how to add the new root certificate to the computer’s repository, so that it is trusted by all users.

Say you’ve a root certificate, like one created using this method. Here’s how to install it in your account’s “Trusted Root Certificate Authorities” certificate store:

And from now on, all executables signed by this root certificate authority (or it’s subordinate authorities) are trusted:

As the root certificate we used in this example is good for all purposes, and because your certificate store also integrates with Internet Explorer, SSL certificates issued by this certificate authority will also be trusted by Internet Explorer.

If you don’t have the root certificate to install, you can also get it installed from the AuthentiCode signature like this:

And from here on, you follow the same steps as in the first method;

If you want to install certificates for all users, you’ll need to follow another method. But because this other method requires a certificate file, I’ll show you how to extract a certificate file from an AuthentiCode signature:

Follow the second method to view the root certificate, but instead of installing the certificate, look at the Details tab and export the certificate:

To install a root certificate for all users, you’ll need to start the Microsoft Management Console (mmc.exe) as an administrator:

And now you can import the root certificate following the same steps as in the first method:


  1. Thanks Didier Stevens for clear and detailed instructions 🙂

    Comment by Romeo29 — Sunday 31 October 2010 @ 23:51

  2. Thanks. I’m a Linux guy trying to help a Windows admin and your post did the trick.

    Comment by Anonymous — Wednesday 2 May 2012 @ 19:04

  3. Hi Didier Stevens,

    could you please tell any commandline tool which can be used to extract/export digital certificate from PE signed file in .cer format

    thanks in advance,

    Comment by vikas — Friday 31 January 2014 @ 18:32

  4. @vikas Don’t know such a tool. Maybe it would work with my disitool and then openssl.

    Comment by Didier Stevens — Sunday 2 February 2014 @ 16:49

  5. Thanks for your post.

    Comment by Anonymous — Saturday 5 August 2017 @ 8:30

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: