Exporting Windows Certificates into WSL
Overview
This post outlines a simple process to export certificates from the Windows certificate store and import into a WSL2 instance.
Background
Enterprises will typically have default mechanisms to generate and distribute certificates to end-user compute (EUC) devices for 3rd party products, for example corporate proxy infrastructure or other security or network based services.
These systems are usually set up to cover the majority of common end-user use cases but not necessarily slightly more niche system usage required by developers or administrators. In this situation integrations work seamlessly for browsers and OOTB Windows systems but won’t automatically extend into local VMs, Docker Desktop containers or WSL instances.
This describes a simple mechanim to pull individual certificates (for example, root CA certificates) from Windows and import them into the WSL certificate store. In this example WSL2 running Ubuntu 24.04 but this would be easily adapted for other WSL targets.
How-to
Windows
On your Windows system:
TODO: Step to indentify the proxy cert from properties other than its <CERT ID>
- Check the path to the root CA certificate in the Windows certificate on your laptop
PS C:\Users\Will> Get-ChildItem -Path Cert:\LocalMachine\Root\<CERT ID> | Select-Object -Property *
-
Verify the Issuer and Subject.
- Set the location of the existing proxy root CA certificate in the Windows certificate store
PS C:\Users\Will> $proxycert = Get-ChildItem -Path Cert:\LocalMachine\Root\<CERT ID>
-
Export the certificate as type CERT:
CERT
: A.cer
file format which contains a single DER-encoded certificate. This is the default value for one certificate.PS C:\Users\Will> Export-Certificate -Cert $proxycert -FilePath $Env:USERPROFILE\Downloads\proxy.der -Type CERT
WSL
In your WSL2 instance:
- Convert the DER-encoded certificate to a PEM and place into the local root CA trust staging directory
will@ubuntu:~$ sudo openssl x509 -inform der \ -in /mnt/c/Users/<user.name>/Downloads/proxy.der \ -out /usr/local/share/ca-certificates/proxy.crt
Notes:
- Change the
<user.name>
in/mnt/c/Users/<user.name>/Downloads
as needed. - The file placed into
/usr/local/share/ca-certificates/
MUST have a .crt extension. sudo
escalation for root user permission is not required for the OpenSSL certificate encoding conversion, but is required in order to output the resultant file to the /usr/local/share/ca-certificates directory.
- Change the
- Update the root Certificate Authorities
will@ubuntu:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
- Check that the certificate’s been linked in /etc/ssl/certs
will@ubuntu:~$ ll /etc/ssl/certs/proxy.pem lrwxrwxrwx 1 root root 44 May 15 10:46 /etc/ssl/certs/proxy.pem -> /usr/local/share/ca-certificates/proxy.crt