Microsoft KB Archive/179380

= How to Remove, Import, and Export Digital Certificates =

Article ID: 179380

Article Last Modified on 12/5/2003

-

APPLIES TO


 * Microsoft Outlook Express 4.01
 * Microsoft Outlook Express 4.0
 * Microsoft Outlook Express 4.01
 * Microsoft Outlook Express 4.0
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 4.0 128-Bit Edition

-



This article was previously published under Q179380



IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.



SUMMARY
This article describes how to remove, export and import digital certificates in Internet Explorer and Outlook Express.



MORE INFORMATION
Digital certificates, referred to as digital IDs in Outlook Express, are digitally signed statements that bind an encrypted key pair to a user's identity. This key can be used to sign and encrypt digital information. You can use digital certificates to verify that another person has the right to use a given identity.

A digital certificate is signed by the Certification Authority that issued the certificate. A Certification Authority is a company responsible for issuing digital IDs and continuously verifying that digital IDs are still valid. The digital certificate is composed of a public key, a private key, and other identity information. The digital certificate may also include your e-mail address so that Outlook Express can use it to send digitally signed e-mail. While a private key associated with a certificate can be marked as "not exportable," most certificates and their associated private keys can be moved from one computer to another if you follow the instructions described in the "Exporting Digital Certificates" and "Importing Digital Certificates" sections later in this article.

You can attach multiple digital certificates to a message or transaction, forming a certification chain where each certificate proves the authenticity of the previous certificate. The top-level Certification Authority must be independently known and trusted by the recipient.

When you install a digital certificate in a Web browser, it functions as electronic credentials that can be used by secure Web sites. This enables digital certificates to be used in place of password dialog boxes, services that require membership, or services that restrict access to particular users.

Outlook Express supports Secure/Multipurpose Internet Mail Extensions (S/MIME) technology. Secure e-mail in Outlook Express protects your Internet communications using the following methods:


 * Digital signatures
 * Encryption

Digitally signing your e-mail message with a unique ID assures the person who receives the message that you are the true sender of the message, and that the message was not altered in transit. Encrypting mail that you send ensures that no one except the intended recipient can read the contents of the message while it is in transit. When you send your digital ID to others, you are actually giving them your public key. In order for another person to send you encrypted mail they must have your public key. When another person sends you e-mail that includes your public key, only you can read the message because your private key is required to decrypt it.

Internet Explorer stores digital certificates in the registry. Outlook Express uses these digital certificates to digitally sign and encrypt secure e-mail

Because Outlook Express can manage multiple e-mail accounts, you can have a digital certificate associated with each of your e-mail accounts. The registry keys that contain the entries for your digital certificates do not contain any information about the Web address with which it is associated. For this reason, if you have multiple e-mail accounts for which you have obtained a digital certificate, you should export the digital certificate before you remove it.

Exporting Digital Certificates
NOTE: Once a Personal Certificate has been acquired, you should export the certificate to a safe place. If your PWL file becomes damaged or missing, the certificate will not be available for use and an error will occur when you try to send e-mail. For more information about this issue, see the following article in the Microsoft Knowledge Base:

190296 Unable to Use Personal Certificates in Outlook Express

To export digital certificates, follow these steps:


 * 1) Click Start, point to Settings, click Control Panel, and then double- click Internet.
 * 2) On the Content tab, click Personal, click a certificate you want to export, and then click Export.
 * 3) If necessary, type the file name and password to encrypt, confirm the password, and then click OK. The file name should have a .pfx extension. By default, the file is saved to the My Documents folder if it exists. If the My Documents folder does not exist, the file is saved to the Windows folder.

NOTE: You may be prompted multiple times for the password.

Removing Digital Certificates
When a digital certificate is removed, any e-mail that is encrypted with the associated digital ID is no longer readable. This includes e-mail that you received before you removed the digital certificate, as well as e-mail you receive after you remove the digital certificate. The e-mail is encrypted using your public key, and because the digital certificate has been removed, you no longer have the private key needed to decrypt it. To read this e-mail again, you must import the digital certificate back into Internet Explorer, and then enabled it in Outlook Express. There is no method of exporting encrypted e-mail to an unencrypted format. If you receive any encrypted mail that you must be able to access, make sure you have successfully exported the digital certificate before you remove it. You may also be unable to view any Web sites that require client authentication based on that digital certificate until you either import it again, or generate another digital certificate to use for that Web site.

For these reasons, Microsoft does not recommend removing digital certificates. You should keep the current digital certificate and obtain a new one for a new e-mail account or Web site that requires one. However, if this is not possible, and a digital certificate must be removed due to incorrect operation or for troubleshooting purposes, follow these steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

Delete all the folders under the following registry key, and then restart your computer: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates When you remove the digital certificate from Internet Explorer, the associated digital ID is removed from Outlook Express.

Importing Digital Certificates
To import digital certificates that you previously exported, follow these steps:


 * 1) Click Start, point to Settings, click Control Panel, and then double- click Internet.
 * 2) On the Content tab, click Personal, and then click Import.
 * 3) In the Password box, type your password.

NOTE: You may be prompted multiple times for your password.
 * 1) In the Certificate File To Import box, type the filename of the certificate you want to import, and then click OK.
 * 2) Click Close, and then click OK.

