Installing the Certificate on Your Server

Next you'll need to install your certificates on the appropriate servers. The following instructions explain how to import your organization's certificate in a Windows certificate store, how to grant access to the private key, and how to find the certificate's thumbprint.

Importing the Certificate

On the server that will use the certificate:

  1. Click the Start menu and then click the Search icon in the upper right corner.
  2. In the Search box, type mmc, and then right-click the mmc.exe result and select Run as administrator. This will open the Microsoft Management Console program.
  3. In the Microsoft Management Console, click on File, then select Add/Remove Snap-in... This will open the Add or Remove Snap-ins dialog box.
  4. From the list of Available snap-ins, select Certificates, then click the Add > button. This will open the Certificates snap-in dialog.
  5. Choose Computer account from the available options, then click Finish. The Select Computer dialog will open.
  6. Choose Local computer, then click Finish. This will take you back to the Add or Remove Snap-ins dialog.
  7. Click OK.

  8. In the left pane, expand Console Root to show Certificates (Local Computer).

    Certificates (Local Computer)

  9. Expand Certificate (Local Computer) by clicking the left arrow.

  10. Click the Personal folder. This is the visual representation of the LocalMachine\My certificate store. The window pane on the right may or may not contain certificates.
  11. Right-click the Personal folder, then click All Tasks, then click Import... The Certificate Import Wizard dialog opens.
  12. Click Next. The dialog lets you choose the certificate file to import.
  13. Click Browse...

  14. In the file selection dialog, change the file extension filter to Personal Information Exchange (.pfx;.p12).

    Open File Dialog

  15. Browse the file system to locate your certificate file.

  16. Click Next. This shows the Private key protection screen. If you have a password protecting your private key, enter it into the provided password field.

  17. In the Import options make sure the Mark this key as exportable and Include all extended properties options are selected.

    Private key protection

  18. Click Next. The wizard will now show the Certificate Store screen.

  19. Select the Place all certificates in the following store option, and set the Certificate store to Personal.
  20. Click Next. The wizard will now show the completion screen.

  21. Click Finish. A dialog box stating the import was successful should be shown. The imported certificate should now be displayed within the Personal > Certificates folder. The certificate icon should show a small key, this indicates the certificate has a private key.

    Private key protection

Importing the Signing and Root Certificates

The following instructions are only applicable when configuring your system to access the IRB Exchange Test environment. If you are configuring your system for production, this section should be skipped.

When you receive your certificates for accessing the IRB Exchange Test environment, the zip file will contain two additional certificates: intermediate.cer and root.cer. These certificates will also need to be imported into your server's certificate store in order to provide a chain of trust for your test certificate.

Importing the Signing Certificate

  1. In the left pane, right-click the Intermediate Certification Authorities folder, then click All Tasks, then click Import... The Certficiate Import Wizard opens.
  2. Click Next. The dialog lets you choose the certificate file to import.
  3. Click Browse...
  4. Browse the file system to locate the intermediate.cer file.
  5. Click Next. The wizard will now show the Certificate Store screen.
  6. Select the Place all certificates in the following store option, and set the Certificate store to Intermediate Certification Authorities.
  7. Click Next. The wizard will now show the completion screen.
  8. Click Finish. A dialog box stating the import was successful should be shown. The imported certificate should now be displayed within the Intermediate Certification Authorities > Certificates folder. The certificate will be listed as signing.huronirbexchange.com.

Importing the Root Certificate

  1. In the left pane, right click the Trusted Root Certification Authorities folder, then click All Tasks, then click Import... The Certificate Import Wizard opens.
  2. Click Next. The dialog lets you choose the certificate file to import.
  3. Click Browse...
  4. Browse the file system to locate the root.cer file.
  5. Click Next. The wizard will now show the Certificate Store screen.
  6. Select the Place all certificates in the following store option, and set the Certificate store to Trusted Root Certification Authorities.
  7. Click Next. The wizard will now show the completion screen.
  8. Click Finish. A dialog box stating the import was successful should be shown. The imported certificate should now be displayed within the Trusted Root Certification Authorities > Certificates folder. The certificate will be listed as root.huronirbexchange.com.

Granting Access to the Private Key

The user account that will interact with the IRB Exchange must be granted read access to the private key of the certificate. This will allow the account to make authenticated requests to the Exchange and to decrypt information received from the Exchange.

For a Huron Portal system, the Trusted System account (typically named ClickSystem) must have access to the private key. The following steps show how to grant private key access to the ClickSystem account:

  1. Right click on the imported certificate, choose All Tasks > Manage Private Keys... The permissions dialog for the private key opens.
  2. Click Add.... The Select Users or Groups dialog opens.
  3. Locate your Trusted System account.
  4. Click OK. This adds the Trusted System account to the permission list.
  5. In the Permissions for {Trusted System} section, check the Allow option for Read. If the Full Control option is checked, uncheck it. Note: The ClickSystem account only requires read access to the private key.

  6. Click OK.

    Private key permissions

The certificate is installed and configured for use within your Portal stores on the server. For a Huron Portal store, the ClickSystem account has access to the private key and will be able to create signed requests that can be authenticated with the IRB Exchange.

Finding the Certificate Thumbprint

The certificate thumbprint or fingerprint is sometimes used to locate the correct certificate to use during communication with the IRB Exchange.

The thumbprint is required for Huron Portal systems when configuring your IRB Exchange accounts in your store. It is also recommended for use in connecting a .NET application to the Exchange, though there are alternative approaches.

Tip: You may have already received the thumbprint for a test certificate if you requested the certificate from Huron. For your convenience, Huron typically includes the thumbprint (in addition to the certificate file) in response to your request.

To find the thumbprint on your server:

  1. Open a PowerShell console.

  2. Run the following command:

    Get-ChildItem Cert:\LocalMachine\My

  3. Find the certificate by matching the CN in the Subject column to the name of your certificate.

  4. Copy the associated Thumbprint.

    Thumbprint

Next Steps

Return to the appropriate Getting Started page for your scenario.