Installing Root Certificates
Why do I care?
To access web sites, mail servers, or other network resources that are using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and do so in a secure manner, the client needs to verify the authenticity of the server's certificate. It does so by verifying that the certificate has been signed by a trustworthy organization, the Certificate Authority (CA).
There are many commercial Certificate Authorities selling the service of signing certificates for secure web sites, network services, to sign code with, etc. The service they are offering is simple: they vouch for the authenticity of the certificate signed by them. In other words, they guarantee that the server is who it says it is. They usually charge a lot of money for this service, and their guarantees are more or less limited. (The exact details on how they verify certificate holders varies widely between CAs.)
There is no magic to a CA: on the technical level, it's just another key that is used to sign things. So if you want to save the money, or you generally don't trust multi-million dollar corporations with your personal security, you can run your own CA, and sign your own web site certificates. There's just one little snag:
Clients typically have a built-in list of CAs. If a server certificate has been signed by one of these, the connection is established, and the "lock icon" is shown. However, if the certificate has been signed by a CA that is not on the list built into the browser or mail client, the client will refuse to connect to this server. Depending on the client, you might be able to connect after having been shown a warning message. To overcome this, you need to make your own CAs root certificate known to the client.
Certificate File Formats
Mac OS X
- Copy the certificate in PEM format to you Mac.
- Open it by double-clicking it. Key Chain will launch and ask you into which key chain to import this certificate.
- Choose the X509Anchors key chain, and click Import.
- Restart Safari and Mail. There should be no further warning messages about certificates that cannot be verified.