How to setup a Root CA Certificate

If you have generated your own certificates for encrypted services and you do not want to see a warning in your browser, or other application, when you use services based on that certificate, you need to add it to the list of trusted root certificates. The following instructions explain how to do so for different browsers and applications.

Internet Explorer

Check your diagnosis: our certificate is missing

Browse to the encrypted site that cause a warning (if you don’t see a warning, you’ve perhaps already trusted the certificate, but not necessarily the Root CA certificate). On Internet Explorer 6 and older, click the View Certificate option. On Internet Explorer 7, continue to the web site and than click the certificate error icon in the address bar, and choose "View Certificate". Note that on Internet Explorer 6, you can also access this option by double clicking the padlock icon in the status bar, once you have temporarily accepted the site certificate.

You’ll see the site’s certificate has been issued and signed by the Root CA, and a warning message indicating that it isn’t trusted.

Trust that Root CA certificate

To install that Root CA certificate, you should retrieve it in the form of a *.crt file. The simplest is to be able to download that file from an URL. Confirm this download with "Open". Click the Install Certificate button; you will then need to click Next a few times through a wizard. Except for Windows Vista, default option are fine. For Windows Vista, you should select "Place certificate in the following store" and select the "Trusted Root Certification Authorities". You will be asked to confirm the Fingerprint, which is an long string of hexadecimal value like:

D17B459C 982DDE00 221627C0 A8D60001 3AE0B250

The provider of the certificate, should have provide you a similar fingerprint which ensure you that the certificate you are about to trust, is the correct certificate.
Once the Root CA Certificate installed in your list of trusted root certificates you will no longer see warnings when using any encrypted sites using certificate signed by that Root CA.

Mozilla Firefox

Check your diagnosis: the Root CA certificate is missing

Browse to the encrypted site that cause a warning (if you don’t see a warning, you’ve perhaps already trusted the certificate,  but not necessarily the Root CA certificate). Click the Examine Certificate option. You can also access this option by double clicking the padlock icon in the address bar, once you have temporarily accepted the site certificate.

You’ll see the site’s certificate has been issued and signed by the Root CA Certificate, but in the detail tab, you does see the Root CA in the certificate hierarchy.
Open the Options dialog, go to Advanced tab, then choose the Security tab. Click View Certificates.

Trust our root certificate

To install that Root CA certificate, you should retrieve it in the form of a *.crt file. The simplest is to be able to download that file from an URL. A confirmation box allow you to confirm that you want to trust the Root CA certificate. First, you should check the authenticity of that certificate. Click on the "View" button to open the certificate, and check that the SHA1 and MDA Fingerprint are identical to those provided by the certificate issuer. Those fingerprint will look like the following ones, obviously with different numbers:

SHA1: D1:7B:45:9C:98:2D:DE:00:22:16:27:C0:A8:D6:00:01:3A:E0:B2:50
MD5: ED:13:30:C5:5D:15:B8:74:BF:C1:35:9D:1C:EE:95:17

Close the certificate and return to the confirmation dialog. At least, indicate that the certificate will be used for trusting web sites, in doubt check all, then complete the import. Firefox will now always trust certificates signed by that Root CA.

Mozilla Thunderbird

Check your diagnosis: the Root CA certificate is missing

Open the Options dialog, go to Advanced tab, then choose the Certificates tab. Click View Certificates. A new dialog opens, and in the Authorities tab, search for the Root CA certificate. If you found it, select it and choose Edit to check that all checkboxes has been checked.

Trust the Root CA certificate

To install the Root CA certificate, you should retrieve it in the form of a *.crt file. If the file is proposed for download, you should right click (ctrl click on MacOS) the link and choose "Save link as..." to store it locally.

In Thunderbird, you may then open the Options dialog, go to Advanced tab, then choose the Certificates tab. Click View Certificates. A new dialog opens, and in the Authorities tab, choose Import... . Browse to and select the file you have just downloaded. A confirmation box allow you to confirm that you want to trust that Root CA certificate. First, you should check the authenticity of the certificate. Click on the "View" button to open the certificate, and check that the SHA1 and MDA Fingerprint are identical to those provided by the certificate issuer. Those fingerprint will look like the following ones, obviously with different numbers:

SHA1: D1:7B:45:9C:98:2D:DE:00:22:16:27:C0:A8:D6:00:01:3A:E0:B2:50
MD5: ED:13:30:C5:5D:15:B8:74:BF:C1:35:9D:1C:EE:95:17

Close the certificate and return to the confirmation dialog. At least, indicate that the certificate will be used for trusting web sites, in doubt check all, then complete the import.

Safari / Mac OS X

To install a Root CA certificate, you should retrieve it in the form of a *.crt file. The simplest is to be able to download that file from an URL. Clicking on that URL will download the file and store it locally. You may then double-click the downloaded file. A "Add Certificate" box open and propose to import the certificate in your Keychain. First, you should check the authenticity of the Root CA certificate. Click on the "View Certificate" button to open the certificate, and check that the SHA1 and MDA Fingerprint are identical to those provided by the certificate issuer. Those fingerprint will look like the following ones, obviously with different numbers:

SHA1: D1:7B:45:9C:98:2D:DE:00:22:16:27:C0:A8:D6:00:01:3A:E0:B2:50
MD5: ED:13:30:C5:5D:15:B8:74:BF:C1:35:9D:1C:EE:95:17

Close the certificate and return to the "Add Certificate" dialog. Choose the X509Anchors Keychain from the list and confirm. This will load the Root CA Certificate into your list of trusted certificates.

After importing you can delete the downloaded file. You will then need to quit and reopen Safari to see the changes.

Java Applications

You can add the Root CA certificate to your root certificate trust store in Java, then all Java applications will trust the certificates that are signed by that Root CA certificate.

Note that you may need to do this each time you upgrade your Java installation.

To install the Root CA certificate, you should retrieve it in the form of a *.crt file. If the file is proposed for download, you should right click (ctrl click on MacOS) the link and choose "Save link as..." to store it locally.

Then find the cacerts file, it should be in your JAVA_HOME/jre/lib/security/cacerts1, where JAVA_HOME is your java home directory for the JVM you’re using.

Then type (substituting AnAliasForNamingTheCertificate, TheCertificateFile.crt, JAVA_HOME and DOWNLOAD_DIR as needed): 

keytool -import -alias AnAliasForNamingTheCertificate -file DOWNLOAD_DIR/TheCertificateFile.crt -keystore JAVA_HOME/jre/lib/security/cacerts -storepass changeit

(changeit2 is the default password on the cacerts file)
You may also need to become root or administrator to access this file.

The output of that command should show you some details about the certificate you are about to trust.  You should check that the SHA1 and MDA Fingerprint are identical to those provided by the certificate issuer. Those fingerprint will look like the following ones, obviously with different numbers:

Owner: ...
Issuer: ...
Serial number: 0
Valid from: Thu Dec 02 21:31:21 CET 2004 until: Mon Aug 19 22:31:21 CEST 2024
Certificate fingerprints:
         MD5:  ED:13:30:C5:5D:15:B8:74:BF:C1:35:9D:1C:EE:95:17
         SHA1: D1:7B:45:9C:98:2D:DE:00:22:16:27:C0:A8:D6:00:01:3A:E0:B2:50
Trust this certificate? [no]:

And you can confirm your initial intention by responding "yes".

You can check the correct installation with the following command: 

keytool -list -keystore JAVA_HOME/jre/lib/security/cacerts -storepass changeit

If you’ve got multiple Java installations you may need to work out which ones you’re using to run your application and do this on the appropriate one. Or do it on all of your Java installations.

  1. ^

    For MacOSX users, here is some hints:

    /Library/Java/Home/lib/security/cacerts
    /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
    /System/Library/Frameworks/JavaVM.framework/Versions/1.x.x/Home/lib/security/cacerts
    /Applications/Utilities/Java/Java Web Start.app/Contents/MacOS/cacerts
    
  2. ^ For MacOS X Snow Leopard Update 1 and later, the password is now changeme