Getting CSAIL certificates in Internet Explorer under Windows XP

The following step-by-step procedure will allow you to get CSAIL certificates in Microsoft Internet Explorer (version 6 or 7, although IE 7 is recommended) under Windows XP. Internet Explorer under Windows Vista and Windows 7 cannot obtain client certificates directly; a workaround is available for those operating systems.

1. First, you will install the CSAIL Master CA certificate -- the cornerstone of the CSAIL certificate system, also known as the "authority certificate" -- it in your browser. Download it from ca.csail.mit.edu/cacert/master.cer. This will pop up a security warning alert box, where you can safely click Open:
   
2. Another dialog box will pop up immediately; it should look like the following. If it doesn't say "This CA Root certificate is not trusted", then you already have the Master CA certificate installed and can skip to step 4.
   
3. Click the Install Certificate... button at the bottom of the certificate dialog. This will open the "Certificate Import Wizard". Click Next all the way through the wizard; the default settings are all correct. At the end of the wizard, an alert box will pop up giving you one last chance to verify that you know what you are doing. It should look like the following. Once you have compared the thumbprint shown here to the one in the alert box, click *Yes.*
   
4. Once you have installed the Master CA certificate, it's time to create your personal CSAIL certificate. Start by going to the certificate request page, https://ca.csail.mit.edu:1443/request?type=msenroll;ca=client. You will be prompted for your CSAIL Kerberos username and password. This is the same password as you use to log in to CSAIL servers like login.csail.mit.edu and to Windows workstations when joined CSAIL's Active Directory domain. (Note: You should never, under any circumstances, give your CSAIL Kerberos password to any other Web site, no matter how official it looks.)
5. If you see a yellow "Information Bar" like the following, click it and select Run ActiveX Control, then click Run. This will allow the internal components of Internet Explorer that actually generate your certificate to run.
   
6. Having successfully logged in, you will be presented with a simple Web form. Click on the Generate key button at the bottom of the page. The following dialog will pop up; click *Yes.*
   
7. When your key is finished generating, the "Generate key" button will grey out and the "Submit" button will be enabled. Click Submit to send your request to the CA. It will take a few seconds to check your request; when it is approved, you will see a new screen saying so, and another security dialog will pop up:
   
8. Once you click Yes here, your new certificates will be installed in the Windows certificate store. Note that, unlike on other browsers, Internet Explorer does not request a security password to protect your private keys. This is because Windows uses your login password to encrypt all the private keys in your personal certificate file.

Optional: verify proper certificate issuance

1. At this point, you may open up Explorer's certificates dialog to examine the certificate you have been issued. From the "Tools" menu, select "Internet Options" and then the "Content" tab. Click the button marked "Certificates" in the middle of the window:
   
2. The certificate manager will automatically open up to your personal certificate file. Click on your new CSAIL certificate to select it; the display will look like this:
   
3. You can click on "View" to see more information about your certificate. If all went well, the display should look something like this:
   
4. If you wish, you can click on "Issuer Statement" to see CSAIL's Certification Practices Statement. (What it says, in several dense pages of standardese, is that the CSAIL CA is for CSAIL users and servers only.) If you select the "Details" tab in the view dialog, and then click on "Properties", you can give the certificate a name and a description, as shown in the following picture. The "friendly name" will be shown in menus when you need to choose a certificate.
   

Optional: Make a backup copy of your certificate

Making a backup will allow you to import your certificate into other programs which don't use the Windows security libraries, copy your certificate to other machines, and recover from a corrupted certificate database. While this is not strictly necessary if all you need is to access secure Web sites, since you can just get another certificate in that case, if you want to use your certificate to secure your electronic mail, you will need to use that certificate everywhere or else your correspondents won't know which one is the right one to use.

1. Go to Tools -> Internet Options -> Content -> Certificates. To make your backup, select your certificate from the list and click on "Export". This will start the "Certificate Export Wizard". Almost all of the options are straightforward, but you will need to make the following changes to the default settings. First, tell the wizard that you want to export your private key:
   
2. Second, tell the wizard that you want to include all the certificates in the certification path:
   
3. Finish the wizard, making sure to supply a good password to encrypt the private key (remember, anyone who gets your private key can impersonate you), and save the file some place that gets backed up regularly, like your AFS home directory.

-- GarrettWollman - 20 Dec 2005
-- ArthurProkosch - 20 Feb 2009

Topic CertificatesIEUnderXP . { Edit Attach Backlinks: Web All webs Printable History: r8 < r7 < r6 < r5 < r4 More }