Certificate Depot

Guides

Home › Guides › Trust on Windows

How to Trust a Self-Signed Certificate on Windows

Add your certificate to the Windows Trusted Root store — the GUI and PowerShell ways.

Windows maintains certificate stores for both the current user and the local machine. For a certificate to be trusted system-wide, install it into Local Machine › Trusted Root Certification Authorities.

Method 1: Double-click (easiest)

  1. Rename your certificate to .crt if it's .pem (Windows recognizes both, but .crt triggers the install dialog on double-click).
  2. Double-click the file. The Certificate dialog opens.
  3. Click Install Certificate….
  4. Select Local Machine (requires admin confirmation). Click Next.
  5. Choose Place all certificates in the following store, then Browse.
  6. Select Trusted Root Certification Authorities, click OK, then Next, then Finish.
  7. Confirm the security warning dialog.

Method 2: PowerShell

Import-Certificate -FilePath "C:\path\to\certificate.crt" `
  -CertStoreLocation Cert:\LocalMachine\Root

To install for the current user only (no admin required):

Import-Certificate -FilePath "C:\path\to\certificate.crt" `
  -CertStoreLocation Cert:\CurrentUser\Root

Method 3: MMC (full control)

  1. Press Win+R, type mmc, press Enter.
  2. File › Add/Remove Snap-in › select Certificates, click Add.
  3. Choose Computer account, click Next, then Finish.
  4. Expand Trusted Root Certification Authorities › Certificates.
  5. Right-click All Tasks › Import… — walk through the wizard.

Verify It Worked

certutil -store Root | findstr "Your Cert CN"

Or in PowerShell:

Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "your-domain.local" }

Restart Chrome/Edge and visit your HTTPS site — the padlock should be clean, no warning.

Removing the Certificate

# PowerShell — by thumbprint
Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "your-domain.local" } | Remove-Item

Troubleshooting

Cert installs but browser still shows warning

Fully close Chrome/Edge (check Task Manager) and restart. The trust store is cached in-process.

"The parameter is incorrect" during import

The file is probably not a valid X.509 certificate. Check with our PEM decoder — if it fails to parse there too, the file is corrupted or the wrong type (maybe a private key?).

Certificate has no SAN

Installing the cert as trusted doesn't bypass the SAN check. Browsers will still reject certs without a matching SAN. Regenerate with our generator.

Need a self-signed certificate? Use our free generator — browser-compatible SANs, RSA or ECDSA, ZIP or PFX. No signup, no ads, keys never stored.

Further Reading