1
00:00:08,140 --> 00:00:11,640
So, I've completed my certificate submission to DigiCert.

2
00:00:11,640 --> 00:00:15,340
I went through the entire process of ordering the certificate, proving I

3
00:00:15,340 --> 00:00:18,330
own the domain, paying for the certificate, and so forth.

4
00:00:18,330 --> 00:00:22,480
And they've approved my certificate request, signed it, and sent it back to me.

5
00:00:22,480 --> 00:00:26,850
So in this case, they returned two certificates. There's a DigiCertCA

6
00:00:26,850 --> 00:00:30,840
certificate, which is an intermediate CA certificate or a subordinate CA

7
00:00:30,840 --> 00:00:34,630
certificate, as well as my end entity certificate or the certificate that

8
00:00:34,630 --> 00:00:37,090
I actually requested them to sign.

9
00:00:37,090 --> 00:00:40,250
So before we import this certificate, we will need to

10
00:00:40,250 --> 00:00:43,450
import the issuing CA certificate.

11
00:00:43,450 --> 00:00:46,860
So once again, we'll go back to the Local Computer certificate

12
00:00:46,860 --> 00:00:51,270
store. And here I want to expand Intermediate Certification

13
00:00:51,270 --> 00:00:55,960
Authorities and then highlight Certificates.

14
00:00:55,960 --> 00:00:58,990
And then here I'm just going to right‑click, choose All Tasks,

15
00:00:58,990 --> 00:01:02,340
Import, choose Next.

16
00:01:02,340 --> 00:01:07,870
And I'm going to specify the name of that intermediate CA file. So click OK,

17
00:01:07,870 --> 00:01:17,840
and Next, and then Next again and Finish, and then click OK.

18
00:01:17,840 --> 00:01:21,640
And now we'll see our intermediate certificate in the store. And at this

19
00:01:21,640 --> 00:01:25,150
point, we're ready to import the certificate that we got back, the actual

20
00:01:25,150 --> 00:01:27,230
end entity certificate that we requested.

21
00:01:27,230 --> 00:01:31,440
So once again, we'll right‑click All Tasks, Import,

22
00:01:31,440 --> 00:01:33,240
choose Next,

23
00:01:33,240 --> 00:01:38,010
choose Browse, and we'll select our end entity certificate.

24
00:01:38,010 --> 00:01:42,680
Click Next, and Personal store is fine, so we'll choose Next

25
00:01:42,680 --> 00:01:50,240
and Finish, and then click OK.

26
00:01:50,240 --> 00:01:53,390
And now you'll see that we have a second certificate

27
00:01:53,390 --> 00:01:55,740
in the store issued by GeoTrust,

28
00:01:55,740 --> 00:02:00,180
which in this case is my DigiCert CA. So let's double‑click on that.

29
00:02:00,180 --> 00:02:03,620
And the first thing you'll notice here is that I have a private

30
00:02:03,620 --> 00:02:06,440
key that corresponds to this certificate.

31
00:02:06,440 --> 00:02:09,360
Fantastic, so let's click OK.

32
00:02:09,360 --> 00:02:10,470
And at this point,

33
00:02:10,470 --> 00:02:13,520
if I wanted to archive this certificate or I had multiple

34
00:02:13,520 --> 00:02:17,200
servers and I wanted to export it, then I would just simply

35
00:02:17,200 --> 00:02:22,740
right‑click, choose All Tasks, Export, Next.

36
00:02:22,740 --> 00:02:23,400
Yes,

37
00:02:23,400 --> 00:02:27,970
export the private key because I stipulated as a part of my

38
00:02:27,970 --> 00:02:30,270
request that I wanted to make the key exportable.

39
00:02:30,270 --> 00:02:31,970
If you do not see this option,

40
00:02:31,970 --> 00:02:34,090
it means that you missed that step, and you might have

41
00:02:34,090 --> 00:02:35,790
to go back and repeat this process.

42
00:02:35,790 --> 00:02:42,060
So I'm going to choose Next, and then we'll select PKCS #12,

43
00:02:42,060 --> 00:02:44,320
which is .PFX file format.

44
00:02:44,320 --> 00:02:46,880
You can choose to include all certificates.

45
00:02:46,880 --> 00:02:51,240
This would mean the root and intermediate CA certificates as well.

46
00:02:51,240 --> 00:03:03,240
So we'll choose Next, and we'll supply a super secret password for this file.

47
00:03:03,240 --> 00:03:07,060
And I typically leave the Encryption set to TripleDES‑SHA1.

48
00:03:07,060 --> 00:03:10,440
It may sound counterintuitive from a security perspective,

49
00:03:10,440 --> 00:03:12,690
but this gives you the most compatibility.

50
00:03:12,690 --> 00:03:15,860
It means you could install it on a number of different servers

51
00:03:15,860 --> 00:03:17,860
without having to worry about compatibility.

52
00:03:17,860 --> 00:03:19,990
However, if you're installing this on, you know,

53
00:03:19,990 --> 00:03:25,400
all Windows Server 2022 servers, you most certainly could choose AES256.

54
00:03:25,400 --> 00:03:28,430
I usually leave it set here, again, for backwards compatibility.

55
00:03:28,430 --> 00:03:31,380
So I'll choose Next, and we'll save this out to the

56
00:03:31,380 --> 00:03:41,760
desktop. And we'll click through and click OK.

57
00:03:41,760 --> 00:03:48,750
And at that point, this certificate is now a PFX file, so it's a PKCS #12 format,

58
00:03:48,750 --> 00:03:52,880
so it has the certificate along with the public key and the private key.

59
00:03:52,880 --> 00:03:58,230
I could use this to install on additional VPN servers or importantly,

60
00:03:58,230 --> 00:04:02,810
I could archive this again securely and safely and make sure that it's

61
00:04:02,810 --> 00:04:05,630
there in the event of a disaster recovery scenario,

62
00:04:05,630 --> 00:04:07,120
I need to rebuild the server, I don't have to go through

63
00:04:07,120 --> 00:04:14,000
this whole process again. I can just simply bring the certificate back and import it.