DEV Community

Dima Stopel
Dima Stopel

Posted on • Originally published at cert-depot.com

How to Trust a Self-Signed Certificate on Windows

#ssl #tls #tutorial #security

Originally published on cert-depot.com. Free, open-source self-signed certificate generator — no signup, keys never stored.

How to Trust a Self-Signed Certificate on Windows

Add your certificate to the Windows Trusted Root store — the GUI and PowerShell ways.

Windows maintains certificate stores for both the current user and the local machine. For a certificate to be trusted system-wide, install it into Local Machine › Trusted Root Certification Authorities.

Method 1: Double-click (easiest)

  • Rename your certificate to .crt if it's .pem (Windows recognizes both, but .crt triggers the install dialog on double-click).
  • Double-click the file. The Certificate dialog opens.
  • Click Install Certificate….
  • Select Local Machine (requires admin confirmation). Click Next.
  • Choose Place all certificates in the following store, then Browse.
  • Select Trusted Root Certification Authorities, click OK, then Next, then Finish.
  • Confirm the security warning dialog.

Method 2: PowerShell 

Import-Certificate -FilePath "C:\path\to\certificate.crt" `
  -CertStoreLocation Cert:\LocalMachine\Root
Enter fullscreen mode Exit fullscreen mode

To install for the current user only (no admin required):

Import-Certificate -FilePath "C:\path\to\certificate.crt" `
  -CertStoreLocation Cert:\CurrentUser\Root
Enter fullscreen mode Exit fullscreen mode

Method 3: MMC (full control)

  • Press Win+R, type mmc, press Enter.
  • File › Add/Remove Snap-in › select Certificates, click Add.
  • Choose Computer account, click Next, then Finish.
  • Expand Trusted Root Certification Authorities › Certificates.
  • Right-click All Tasks › Import… — walk through the wizard.

Verify It Worked 

certutil -store Root | findstr "Your Cert CN"
Enter fullscreen mode Exit fullscreen mode

Or in PowerShell:

Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "your-domain.local" }
Enter fullscreen mode Exit fullscreen mode

Restart Chrome/Edge and visit your HTTPS site — the padlock should be clean, no warning.

Removing the Certificate 

# PowerShell — by thumbprint
Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "your-domain.local" } | Remove-Item
Enter fullscreen mode Exit fullscreen mode

Troubleshooting

Cert installs but browser still shows warning

Fully close Chrome/Edge (check Task Manager) and restart. The trust store is cached in-process.

"The parameter is incorrect" during import

The file is probably not a valid X.509 certificate. Check with our PEM decoder — if it fails to parse there too, the file is corrupted or the wrong type (maybe a private key?).

Certificate has no SAN

Installing the cert as trusted doesn't bypass the SAN check. Browsers will still reject certs without a matching SAN. Regenerate with our generator.

Further Reading

Top comments (0)