How to Remove, Import, and Export Digital Certificates

Last reviewed: February 3, 1998
Article ID: Q179380
The information in this article applies to:
  • Microsoft Internet Explorer versions 4.0, 4.01 for Windows 95
  • Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 4.0
  • Microsoft Outlook Express versions 4.0, 4.01 for Windows 95
  • Microsoft Outlook Express versions 4.0, 4.01 for Windows NT 4.0

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

This article describes how to remove, export and import digital certificates in Internet Explorer and Outlook Express.

MORE INFORMATION

Digital certificates, referred to as digital IDs in Outlook Express, are digitally signed statements that bind an encrypted key pair to a user's identity. This key can be used to sign and encrypt digital information. You can use digital certificates to verify that another person has the right to use a given identity.

A digital certificate is signed by the Certification Authority that issued the certificate. A Certification Authority is a company responsible for issuing digital IDs and continuously verifying that digital IDs are still valid. The digital certificate is composed of a public key, a private key, and other identity information. This information may include the version of the Web browser, the operating system and the version of the operating system. The digital certificate may also include your e-mail address so that Outlook Express can use it as a digital ID. Depending on the information bound to the digital certificate by the Certifying Authority, it may not be possible to use the digital certificate after you upgrade the operating system or the Web browser, or to use the digital certificate on a different computer.

You can attach multiple digital certificates to a message or transaction, forming a certification chain where each certificate proves the authenticity of the previous certificate. The top-level Certification Authority must be independently known and trusted by the recipient.

When you install a digital certificate in a Web browser, it functions as electronic credentials that can be used by secure Web sites. This enables digital certificates to be used in place of password dialog boxes, services that require membership, or services that restrict access to particular users.

Outlook Express supports Secure/Multipurpose Internet Mail Extensions (S/MIME) technology. Secure e-mail in Outlook Express protects your Internet communications using the following methods:

  • Digital signatures
  • Encryption

Digitally signing your e-mail message with a unique ID assures the person who receives the message that you are the true sender of the message, and that the message was not altered in transit. Encrypting mail that you send ensures that no one except the intended recipient can read the contents of the message while it is in transit. When you send your digital ID to others, you are actually giving them your public key. In order for another person to send you encrypted mail they must have your public key. When another person sends you e-mail that includes your public key, only you can read the message because your private key is required to decrypt it.

Internet Explorer stores digital certificates in the registry. Outlook Express uses these digital certificates to digitally sign and encrypt secure e-mail

Because Outlook Express can manage multiple e-mail accounts, you can have a digital certificate associated with each of your e-mail accounts. The registry keys that contain the entries for your digital certificates do not contain any information about the Web address with which it is associated. For this reason, if you have multiple e-mail accounts for which you have obtained a digital certificate, you should export the digital certificate before you remove it.

Exporting Digital Certificates

To export digital certificates, follow these steps:

  1. Click Start, point to Settings, click Control Panel, and then double- click Internet.

  2. On the Content tab, click Personal, click a certificate you want to export, and then click Export.

  3. If necessary, type the file name and password to encrypt, confirm the password, and then click OK. The file name should have a .pfx extension. By default, the file is saved to the My Documents folder if it exists. If the My Documents folder does not exist, the file is saved to the Windows folder.

Removing Digital Certificates

When a digital certificate is removed, any e-mail that is encrypted with the associated digital ID is no longer readable. This includes e-mail that you received before you removed the digital certificate, as well as e-mail you receive after you remove the digital certificate. The e-mail is encrypted using your public key, and because the digital certificate has been removed, you no longer have the private key needed to decrypt it. To read this e-mail again, you must import the digital certificate back into Internet Explorer, and then enabled it in Outlook Express. There is no method of exporting encrypted e-mail to an unencrypted format. If you receive any encrypted mail that you must be able to access, make sure you have successfully exported the digital certificate before you remove it. You may also be unable to view any Web sites that require client authentication based on that digital certificate until you either import it again, or generate another digital certificate to use for that Web site.

For these reasons, Microsoft does not recommend removing digital certificates. You should keep the current digital certificate and obtain a new one for a new e-mail account or Web site that requires one. However, if this is not possible, and a digital certificate must be removed due to incorrect operation or for troubleshooting purposes, follow these steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

Delete all the folders under the following registry key, and then restart your computer:

      HKEY_Current_User\Software\Microsoft\SystemCertificates\My\
         Certificates

When you remove the digital certificate from Internet Explorer, the associated digital ID is removed from Outlook Express.

Importing Digital Certificates

To import digital certificates that you previously exported, follow these steps:

  1. Click Start, point to Settings, click Control Panel, and then double- click Internet.

  2. On the Content tab, click Personal, and then click Import.

  3. In the Password box, type your password.

  4. In the Certificate File To Import box, type the filename of the certificate you want to import, and then click OK.

  5. Click Close, and then click OK.

REFERENCES

For information about how to use a digital ID in Outlook Express, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q168726
   TITLE     : How to Digitally Sign and Encrypt Messages in Outlook
               Express

For additional information about digital certificates and digital IDs, in Internet Explorer, click Contents And Index on the Help menu, click the Index tab, type "personal certificates" (without quotation marks), and then click Display. In Outlook Express, click Contents And Index on the Help menu, click "creating and sending email messages," and then click "what are secure messages."

For information about security, visit the following Microsoft Web site:

   http://www.microsoft.com/Security/


Additional query words: 4.00
Keywords : msient msiew95 outexnt outexw95
Version : WINDOWS:4.0,4.01
Platform : WINDOWS
Issue type : kbhowto


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 3, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.