How to manage digital certificates in different web browsers

Los digital certificates They have become essential for identifying yourself on electronic sites, signing documents, authenticating yourself on corporate intranets, or validating secure connections. Yet, many people are unclear about where they are, how to view them, or what to do when their browser doesn't offer them. In this practical guide, we've gathered everything you need to manage them in one place. different browsers and systems.

Let's go through, step by step, how to locate, import and verify certificates in Windows and macOS, what settings to touch in Chrome, Internet Explorer/Edge and Adobe Acrobat Reader, and how to deploy certificate authorities on devices Managed ChromeOSWe've also included typical requirements that some public venues still require, along with a note about mobile compatibility so you don't get caught off guard.

What is a digital certificate and what is it for?

Un digital certificate It's a file that links your identity to a cryptographic key to secure communications and signatures. This allows you to carry out administrative procedures, authenticate yourself to services, validate websites or sign documents with full legal validity. This is not the same as a digital signature: the certificate verifies identity, while the signature is used to seal documents in a verifiable manner.

There are natural person certificates, proxy, server, intermediate or root CA, and each plays a role in the chain of trust. Understanding which type you have installed and where it resides (computer, browser, or a token/DNIe) is key for the browser to propose it when appropriate.

In browsers such as Chrome or Firefox, HTTPS site validation and client certificate selection rely on certificate stores. certification authorities (CA). When installing a new root or intermediate CA, or importing your personal certificate, be sure to place it in the correct store to avoid trust errors.

In addition to user certificates, many applications and pages require your computer to trust a Concrete CA (for example, from a public entity or company). This trust is achieved by installing the CA in the appropriate repository and, if applicable, enabling integration with the operating system or the program's own repository.

Where are and how to view the certificates in each system?

Before importing anything it is good to know where to check what is installed. On both Windows and macOS, there are native tools for exploring user, computer, and CA certificates.

Windows

On Windows, open the Certificate manager Using Windows + R, type "certmgr.msc." This will open a console where you can review personal certificates, certificates from other people, and root or intermediate authorities.

1. In the left panel go to Staff → Certificates to see the user credentials used for authentication or signature.
2. Explore Trusted Root Certification Authorities and, if applicable, intermediate ones to verify the installed chain of trust.
3. Double-click a certificate to view its issuer, expiration and uses allowed.

If you need to import a copy of your personal certificate into Chrome on Windows, remember that Chrome uses the Windows Store, so the import is done through the system itself. Below you'll see the step-by-step import wizard.

MacOS

On macOS, certificates are managed with Access to Keyrings. Open it from Spotlight (Cmd + Space) and type its name to launch it. This utility centralizes system and user credentials.

1. In the sidebar choose Login o System depending on the type of certificate you want to review.
2. Use the top filter «Certificates» to show only this type of elements.
3. Double click to see details such as issuing entity and expiration date. This confirms that it is the correct certificate.

If you need new certificates for procedures or signatures, make sure to install them in the correct keychain (user or system) depending on who should use them and the permissions required.

Import and manage certificates in Google Chrome (Windows)

To import your certificate into Chrome on Windows you need a valid copy of the same. It must be a .pfx or .p12 file (icon of an open envelope with a certificate and a key), which contains the certificate and its private key. A .cer file without a private key cannot be used for signing or authenticating as a user.

Open Chrome and go to Settings → Privacy and security → Security → Manage certificates. In the top left corner, go to "Your Certificates" and, if it appears, select Manage certificates imported from Windows to work with the system warehouse.

In the Staff Click "Import" to launch the "Import Wizard." This wizard will guide you through the steps needed to get everything ready.

1. Click on Next and then click "Browse" to locate your .pfx or .p12 file. In the drop-down menu of the dialog box, select "Sharing of personal information» for the .pfx/.p12 to appear.
2. If your copy has a password, enter it. Also check the box Mark this key as exportable to be able to make a backup in the future.
3. Choose "Automatically select the certificate store" and continue with “Next” until “Finish”.

If everything goes well, you will see the success message and the certificate will appear ready in the Personal tabFrom now on, when a website requests authentication, Chrome will display the window to select the appropriate certificate.

If your file was a .cer without private key, it will be installed under "Other people" and will not be valid for signing or for procedures in offices such as the AEAT. In that case, you will not be able to renew or export correctly: you will have to request a new certificate to the supplier.

Configure Internet Explorer/Edge for certificate selection

Some sites and services still rely on classic Windows integration with Internet Explorer/Edge. If you're not asked for the certificate when you access a website with authentication and you want to the selector appears, adjust this behavior in the security options.

Go to Tools → Internet Options → Security → Internet and tap "Custom Level." In the corresponding category, select the option Deactivate in "Do not prompt for client certificate selection when one or no certificate exists." This will cause the browser will request confirmation even if there is only one valid certificate.

This setting is very useful when you have multiple certificates or when you need to control which identity you present to a electronic headquarters or a corporate portal. If you have 64-bit environments with older dependencies, remember that many sites required using 32-bit Internet Explorer along with 32-bit Java.

Configure and trust certificates in Adobe Acrobat Reader

To validate signatures in PDFs, Adobe Acrobat Reader can rely on the Windows Store or use your own trusted certificate store. Depending on the case, you'll be interested in one option or another so that it recognizes the chains of trust as valid.

Using the Windows Certificate Store with Adobe

First, install the Root CA that issued the certificate used to sign the documents. Download the certificate from the corresponding authority and open it by double-clicking it to launch the Windows wizard.

1. In the «Details» checks the attributes (issuer, fingerprint, usage) to confirm that it is the correct certificate.
2. Balance "Install certificate" and then “Next.”
3. Choose "Examine" and select the "Trusted Issuers" store Root Certification Authorities).
4. Move forward with "Following" to the final screen and press “Finish”.
5. Being a Root CAWindows will ask you for confirmation. Accept with "Yes."

Then, open Adobe Reader and go to Edit → Preferences. In "Security" click "Advanced Preferences" and go to the tab Windows Integration. Check the option Validating signatures so that Adobe trusts the system store when validating signed PDFs.

Use Acrobat Reader's own store

Acrobat Reader has a own trusted store and relies on it by default. If you prefer to manage it internally, import the issuing CA directly into the program so it recognizes signatures issued by that chain as valid.

1. Download the root certificate from the corresponding issuing authority.
2. Open Adobe Acrobat Reader. In earlier versions, go to Advanced → Manage trusted identities; in modern versions, go to Documents → Manage trusted identities.
3. Balance "Add contact" and then “Browse” to select the downloaded certificate.
4. In the window, select the newly imported contactThe certificates contained in the file will be displayed.
5. Choose Certification Authority certificate and click "Trust". Check the box "Signatures and as a root of trust" and accept.
6. End with "To import" and "Accept." From now on, Acrobat will validate signatures that rely on that CA.

Whether you choose the Windows store or the Acrobat store depends on your environment: in organizations that already rely on a system-level CA, the Windows integration Simplifies maintenance; if you need to control each trust from Adobe, the built-in store gives you autonomy.

Deploying certificates on ChromeOS with the Google Console

In managed environments, you can distribute a Corporate CA to enable ChromeOS devices to trust your network and applications. This deployment is done from the Google Admin console, uploading the authority as a trusted certificate.

Previous recommendations: perform this operation in the early stage deployment to ensure that users access sites without interruptions. Keep in mind that LDAP:// formats are not compatible and you can add a maximum of 50 certificates per organizational unit.

To configure the AC, go to Certificates in the console. If you want to apply it to all registered users and browsers, keep the top organizational level; otherwise, choose a secondary organizational unit. Then, click “Create Certificate.”

1. Assign a name to the certificate.
2. Click on Go up and select a PEM, CRT, or CER file. Only supported one certificate per file; will be rejected if it contains more than one certificate or no certificates at all. DER-encoded certificates are not accepted.
3. Under "Certification Authority", choose which platforms will be used as CA.
4. Save with "Add".

To deploy the certificate to devices, use a Open guest Wi-FiChromeOS devices will authenticate with Google and receive the TLS/SSL certificate. The certificate will be applied to all ChromeOS devices registered on the primary domain.

Admin trick: Force the switch to the production network by limiting the guest network (session time or internet access) or redirecting to a page that indicate the change Wi‑Fi network once the certificate has been downloaded.

To verify that the AC has been applied in a managed ChromeOS device, follow these steps from the computer itself:

1. Opens chrome: // settings.
2. On the left, enter Privacy & Security.
3. Click on Security.
4. Scroll to Advanced settings.
5. Choose Manage certificates.
6. Check that the appears certification authority that you just added.

Typical requirements for electronic offices and good practices

Some venues continue to require very specific configurations for identification and signatureAlthough many are undergoing modernization, it's helpful to be aware of these requirements when working with legacy platforms.

Operating Systems that have historically been accepted include Windows XP, Vista, 7, 8 and 8.1, as well as Ubuntu 8–10 (32-bit). In those environments, support for browsers, Java, and cryptographic modules made a difference.

As for browsers, versions of Internet Explorer 7–11, Firefox (3.6 to 42) and Chrome (11 to 44). If you are working with a 64-bit computer and an older site, you may be asked to start 32-bit Internet Explorer and use 32-bit Java.

Many offices of the General State Administration validate through the @firma platform. For the first connection, it has been required to install the Red.es certificateIf you are going to use DNIe, you will need the cryptographic module specific and have Java in supported versions (e.g., 1.6.0.30 to 1.8.0.45). Don't forget to enable JavaScript in the browser.

Additionally, it may be necessary to include certain URLs in "Trusted sites» of the browser, such as http://sede.red.gob.es and https://sede.red.gob.es. And, if the headquarters requires it, enable the file signing in the browser to be able to submit applications with electronic signature.

Supported Browsers and Mobile Notes

To browse and authenticate with a certificate on HTTPS sites, they are usually compatible Microsoft Edge, Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari. Please note that some features are not present or are limited in mobile versions of these browsers.

If you need to use your certificate on a phone, check the specific documentation for your system and browser. In many cases, the best experience for signature and authentication It continues to occur on desktops, especially when cryptographic modules, DNIe, or dependencies such as Java are involved in legacy sites.

View, export and good custody practices

Regularly reviewing your certificates helps you avoid surprises. expiration or due to a lack of trust in new chains. On Windows, use certmgr.msc; on macOS, Keychain Access. Check the issuer, usage, dates, and fingerprints to verify that it corresponds to your identity and the intended purpose.

When you export or import, try to keep a copy password protected and mark the key as exportable if you plan future migrations between computers. Avoid sending PFX/P12 via unencrypted email and control who has access to it. private key, since it is the most sensitive element of the entire process.

If you detect that the copy you have is a simple .cer and the browser does not allow you to sign or authenticate, do not waste time: request a new certificate to the provider, following its identity verification procedure, and keeps a complete backup copy on a secure medium from the outset.

Install and trust a root certification authority (CA)

Sometimes, in order for your browser or Adobe to trust internal signatures or connections, you will need to install the Issuing Root CAThe typical procedure in Windows is to open the CA file, check its attributes in "Details", and use "Install certificate" to place it in the "Trusted Issuers" repository. Complete the wizard and confirm the security prompt.

Once the CA is installed, you can decide whether Adobe Reader trusts it. Windows Store (by activating "Validating signatures" in the Windows integration) or if you prefer to import it directly into Acrobat's own store ("Managing trusted identities → Add contact → Trust). This way, you’ll avoid invalid signature warnings on your documents.

If you work in an organization that uses ChromeOS, distribute the CA from the Google Console uploading a PEM/CRT/CER file with a single certificate (not DER). Remember the limits of 50 certificates per OU and that LDAP:// are not supported. Deploy with Guest Wi-Fi and validate in "Manage Certificates" on the device.

With all of the above, you will have the most frequent cases well covered: viewing installed certificates, importing in Chrome (Windows), adjusting selection in Internet Explorer/Edge, integration with Adobe, and deployment of CAs for managed devices. The key is to place each element in the correct repository, review the chain of trust, and maintain secure backups so you don't get caught out when you need it most.