HowTo: Import the CAcert Root Certificate into Client Software

If you want to access a website that uses a SSL certificate signed by CAcert, you might get an SSL warning. We are sorry, but currently that's still 'normal' as mainstream browsers don't automatically include the CAcert Root Certificate yet. (Check the InclusionStatus page for latest news on this topic.)

This HowTo tells you how you can manually import the CAcert Root Certificate in you webbrowser and other client software (like the Acrobat Reader) so that you don't get these warnings anymore.

Expected Result: You access https://www.cacert.org/ and don't get any warnings about unknown certificates anymore.

Mozilla Firefox

Firefox uses it's own Certificate Manager. So even if your Windows (and other Microsoft) applications already use a root certificate Firefox still might not. The following procedure tells you how to import the CAcert Root Certificate into your Firefox webbrowser.

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Root Certificate (PEM Format)' 1

  3. You'll get:

You have been asked to trust a new Certificate Authority (CA).

Do you want to trust "CA Cert Signing Authority" for the following purposes?

[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.

Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).

[VIEW] Examine CA certificate
  1. You should click on VIEW to check the certificate. Most important is that you check the fingerprints of the certificate 2. They should match the following:

SHA1 Fingerprint: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5  Fingerprint: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
  1. Close the Certificate Viewer and tick at least the first box ('Trust this CA to identify web sites.').
  2. Press OK and that's it.

    Don't forget to install the CRL too! (just enter the URL "http://www.cacert.org/revoke.crl" and follow the directions.)

If you want to check, modify, or delete the CAcert Root Certificate you can access it at any time via:

  1. Open Edit -> Preferences -> Advanced or Open Tools -> Options -> Advanced

  2. Certificates -> Manage Certificates

  3. Authorities
  4. The CAcert certificate is called Root CA (Scroll down to 'R'!)

  5. Here you can View, Edit and Delete it.

Mozilla Thunderbird

Thunderbird uses it's own Certificate Manager. So even if your Windows (and other Microsoft) applications already use a root certificate Thunderbird still might not. The following procedure tells you how to import the CAcert Root Certificate into your Thunderbird mail-client.

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Root Certificate (PEM Format)' with the RIGHT mouse-button to save it
  3. open thunderbird
  4. open preferences->privacy->securiy->view certificates->ca

  5. select "import certificate"
  6. You'll get:

You have been asked to trust a new Certificate Authority (CA).

Do you want to trust "CA Cert Signing Authority" for the following purposes?

[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.

Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).

[VIEW] Examine CA certificate
  1. You should click on VIEW to check the certificate. Most important is that you check the fingerprints of the certificate 3. They should match the following:

SHA1 Fingerprint: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5  Fingerprint: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
  1. Close the Certificate Viewer and tick at least the first box ('Trust this CA to identify web sites.').
  2. Press OK and that's it.

To install the CRL, enter the URL "http://www.cacert.org/revoke.crl" in the CRL-manager on the same tab in preferences.

Apple Safari

To add the CAcert Root Certificate to Apple Safari, we need to use the Keychain Access application which is shipped with Mac OS X.

To install the certificate system-wide, you need to follow these steps:

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Root Certificate (PEM Format)'. It will be downloaded to your desktop
  3. Doubleclick on the 'root.crt' file. The Keychain Access application will be launched
  4. To check the certificate, click on the 'View Certificates' button on the left side of the dialog. A dialog with information about the certificate will pop up. Make sure the following values match:

Fingerprints
SHA1: 13 5C EC 36 F4 9C B8 E9 3B 1A B2 70 CD 80 88 46 76 CE 8F 33
MD5: A6 1B 37 5E 39 0D 9C 36 54 EE BD 20 31 46 1F 6B
  1. Select 'X509Anchors' from the 'Keychain' dropdownlist and press 'OK'.

  2. You will be asked to authenticate yourself. After that, the certificate will be installed system-wide.

Opera Webbrowser

This applies to 8.02 Linux, not sure about 6.x or 7.x

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Root Certificate (PEM Format)'
  3. Choose 'View'
  4. Check 'Allow connections to sites using this certificate'
  5. If desired, uncheck 'Warn me before using this certificate'

There seems to be an occasional problem getting the certification to pass on Opera 8.5 in Windows. Here is the workaround:

  1. Make sure cache is cleared.
  2. Attempt to get cert. via Opera ID'ing.
  3. Attempt to get while ID'ing as IE 6.0 (in Opera).
  4. Attempt to get while ID'ing as Opera again. This time, cert. should pass through.

It seems there is something about the caching where it wants both IE and Opera set at the same time before it will let the Opera cert. go through. Odd, but it works.

Microsoft Internet Exporer

You have two possiblities using Microsoft Internet Exporer. One is to automatically install it using ActiveX and one is to manually import it.

Installation using ActiveX (for a single user)

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Click here if you want to import the root certificate into Microsoft Internet Explorer'
  3. Check that certificate match the following:

Fingerprints
SHA1: 135CEC36 F49CB8E9 3B1AB270 CD808846 76CE8F33
MD5: A61B375E 390D9C36 54EEBD20 31461F6B
  1. Click on yes.

Manual Installation (for a single user)

If you want to install the CAcert Root Certificate manually into Internet Explorer do the following:

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Download the 'Root Certificate' (choose either DER or PEM Format - it doesn't matter)
  3. Open the Windows Key Store: View -> Tools -> Internet Options -> Content -> Personal -> Certificates

  4. Import the Certificate you downloaded

Note: This procedure only adds the CAcert Root Certificate to the current user! If you have multiple user accounts have a look at the next section.

Import into Microsoft Windows for multiple users

If you have more than one account on your computer you don't want to install the CAcert Root Certificate for every single user. Therefore you can manually import the CAcert Root Certificates into the Local Machine Store.

  1. Log in as an Administrator
  2. Click the windows Start button and choose Run

  3. Type MMC, then hit Enter

  4. From the new window open the File menu and choose Add/Remove Snap-in...

  5. click the Add Button

  6. choose the certificates item from the listbox and click the Add Button

  7. choose the Computer Account radio button and click the Next Button

  8. choose the Local Computer radio button and click the Finish Button

  9. click the Close Button

  10. click the Ok Button

  11. expand the tree to view Trusted Root Certification Authorities node

  12. right click on the Trusted Root Certification Authorities

  13. find the All Tasks menu item then choose Import off that menu and click Next

  14. type in, or browse to certificate you want to insert and click Next

  15. verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities

  16. click Next and then Finish

At this point you should get a message saying the import was successful, and you can close the MMC window.

Import into Microsoft Active Directory Group Policy object

To use certificates generated with CACert.org with any MS office product, you will have to manually import the root certificate into your certificate store, you can do this on your machine from that same interface, BUT if you want to use the certificates across the enterprise you will have to follow this text, borrowed from the MS support website.

Add the third-party root CA to the trusted roots in an Active Directory Group Policy object (GPO). To configure Group Policy in the Windows 2000 domain to distribute the third-party CA to the trusted root store of all domain computers:

  1. Click Start -> Programs -> Administrative Tools -> Active Directory Users and Computers

  2. In the left pane, locate the domain in which the policy you want to edit is applied.
  3. Right-click the domain, and then click Properties.

  4. Click the Group Policy tab.

  5. Create a new Group Policy by clicking on New and give the new GPO a name

  6. Click on the new object, and then click Edit. A new window opens.

  7. In the left pane, expand the following items: 'Computer Configuration', 'Windows Settings', 'Security Settings', 'Public Key Policy'
  8. Right-click Trusted Root Certification Authorities.

  9. Select All Tasks, and then click Import.

  10. Follow the instructions in the wizard to import the certificate.
  11. Click OK.

  12. Close the Group Policy window.

Editing the Default Domain Policy as this wiki previously suggested is a bad idea.

Acrobat 6.0

For Acrobat READER 6.0.X, do the following if the Windows Certificate Store includes CAcert root certificate

  1. Edit Menu . Preferences
  2. choose digital signatures

  3. then click the advanced preferences button

  4. then check the following 3 checkboxes
  5. Enable importing of identities from the Windows Certificate Store into the Adobe Trusted Indentities List
  6. validating signatures
  7. validating certified documents

Note: This MAY also work for Acrobat 6 Acedemic, Standard, and Professional versions, but it has not been verified

Acrobat 7.0

How to add the root CAcert cert to Adobe certificate store as they don't use the Windows cert store.

Question: I am getting the error Certifier's identity is unknown ?

To make this simple the reason is because the CACert.org root cert isn't in Adobe, as of Acrobat 7 only 2 CAs have their root cert in Acrobat, GeoTrust and Adobe, this is something you will have to guide your clients thru if you want to use another CAs certificates to sign your PDF documents. For Acrobat reader does indeed have the ability to verify its documents against the Windows cert store, at least Acrobat Reader 7 does. To do this

  1. Open Acrobat (Reader, Academic, Standard or Professional)
  2. choose the edit menu

  3. choose preferences

  4. choose the security category

  5. choose the advanced preferences button

  6. choose the windows integration tab

  7. then check the following 3 checkboxes
  8. Enable importing of identites from the Windows Certificate Store into the Adobe Trusted Identities List
  9. validating signatures
  10. validating certified documents

But remember: This only installed the CAcert Root Certificate into your copy of Acrobat, not to anything else (like you webbrowser).

External Documentation

Leftovers from the original page

note :

As you may use your personal certs (email certs) for signing documents, lets start with "How are you generating your keys".

When you request a cert from a CA like CACert.org, your computer generates the private key, and a request that you then use to retrieve the signed public key portion from the CA.

If you are using IE to generate this, it automatically stores both portions of your key in the windows key store, if you are using Firefox you are going to have a little more trouble, as you will have to export the key from the Firefox key store and import it into the Windows key store before you can use it with Word or any other Office product.

Follow the same instructions as written above.

At that point you may import your entire certificate or back them up, one of the options for backup included a checkbox to include the private key. For simplicities sake, lets assume that you used IE to generate the certificate, thus the certificate is in the store, if not, go back at and do it that way, it will save you headaches.

  • 1 If Firefox tells you 'The Certificate already exists' someone already imported the Certificate for you.

  • 2 You also find the fingerprints gpg signed on the CAcert Root Certificate page.

  • 3 You also find the fingerprints gpg signed on the CAcert Root Certificate page.

BrowserClients (ostatnio edytowane 2006-04-02 21:41:11 przez Julian Zimmerle)