Installing Root Certificates
Why do I care?
To access web sites, mail servers, or other network resources that are using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and do so in a secure manner, the client needs to verify the authenticity of the server's certificate. It does so by verifying that the certificate has been signed by a trustworthy organization, the Certificate Authority (CA).
There are many commercial Certificate Authorities selling the service of signing certificates for secure web sites, network services, to sign code with, etc. The service they are offering is simple: they vouch for the authenticity of the certificate signed by them. In other words, they guarantee that the server is who it says it is. They usually charge a lot of money for this service, and their guarantees are more or less limited. (The exact details on how they verify certificate holders varies widely between CAs.)
There is no magic to a CA: on the technical level, it's just another key that is used to sign things. So if you want to save the money, or you generally don't trust multi-million dollar corporations with your personal security, you can run your own CA, and sign your own web site certificates. There's just one little snag:
Clients typically have a built-in list of CAs. If a server certificate has been signed by one of these, the connection is established, and the "lock icon" is shown. However, if the certificate has been signed by a CA that is not on the list built into the browser or mail client, the client will refuse to connect to this server. Depending on the client, you might be able to connect after having been shown a warning message. To overcome this, you need to make your own CAs root certificate known to the client.
Certificate File Formats
There are two major file formats for certificates: DER and PEM. OpenSSL can be used to convert between the two:
- To convert a PEM certificate into DER format:
openssl x509 -in input.cer -inform PEM -out output.cer -outform DER
- To convert a DER certificate into PEM format:
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
Operating Systems
Mac OS X
- Copy the certificate in PEM format to you Mac.
- Open it by double-clicking it. Key Chain will launch and ask into which key chain you want to import this certificate.
- Choose the X509Anchors key chain, and click Import.
- Restart Safari and Mail. There should be no further warning messages about certificates that cannot be verified.
Windows
- Dowload the certificate in DER format, and open the file from Explorer.
- Click Install Certificate in the Certificate windows. This launches the Certificate Import Wizard.
- At the Welcome step, click Next.
- Keep the default "Automatically select the certificate store", and click Next.
- Click Finish.
- A final confirmation dialog is shown. Click Yes.
OpenSSL
Technically not an operating system, but many unix-like OSes rely on it. Instructions to follow.
Nokia Series60
Send the certificate in DER format to the phone (via Bluetooth or Infrared). When you open the received file, the Certificate Manager will start and will allow you to store the certificate as a CA Root certificate.
Sony Ericsson W950i
Send the certificate in DER format to the phone (via Bluetooth, Infrared, USB, or as an email attachment) and save it in any folder. Open the file with the phone's file manager and you will be allowed to store it as a CA Root certificate. If you see a red question mark as the file's icon, then you've got the wrong file. The correct icon is a green seal on a paper document.
iPhone and iPod touch
Email yourself or download from a web page the certificate in DER form. The iPhone will ask whether you'd like to install the certificate, and request your pin code if you have set one.
Applications
Mozilla, Firefox, Thunderbird
- Save the certificate in PEM format to your system.
- In Preferences, go to Advanced, Security, and click Show Certificates.
- In the window that is opened, go to the Authorities tab, and click Import.
- Select your certificate and import it.
- A dialog is shown that allows you to select what this Certificate Authority can vouch for: web sites, users, or software. If you're just concerned with web and email servers, you should only select web sites here. Then click OK.