The root certificates of well-known trusted CAs are often installed with the client browser, so you might not need to install any. However, the security policy in your organization might restrict your access to the Web and might have removed the trusted CA root certificates. In this case you will need to install root certificates for the CAs that signed the server certificates of the servers you need to communicate with securely.
Note that the root certificate for the demonstration CA is not pre-installed, and so you need to install this certificate to enable you to use the demonstration CA.
CA root certificates can be specified as any of the following:
- A single file containing a single certificate.
- A single file containing multiple certificates. This file defines your trusted CAs (plus their chains if appropriate)
- A directory containing PEM files that each contain a single certificate. These files are named with the hash value of the certificate content, using the hash.0 format. For example, you can display this hash value, using the command:
openssl X509 -hash -in CARootcert.pem
This produces the following output:
1a584193
----BEGIN CERTIFICATE
....
Where:
- The number that is displayed before the certificate is the hash value of the certificate
- The filename of the certificate would be
1a584193.0
To install a CA root certificate:
- In your browser, go to the options where you manage certificates. For example:
- In Internet Explorer, click
Tools >
Internet Options >
Content >
Certificates. Go to the
Trusted Root Certification Authorities tab.
- In Mozilla Firefox, click
Tools >
Options >
Advanced. Scroll down, click
Manage Certificates and then click
Authorities.
- Click
Import and select the CA's root certificate.
For the demonstration, select the self-signed certificate
CARootCert.cer, which is in the
private subdirectory of
%ProgramFiles(x86)%\Micro Focus\DemoCA (Windows) or
/opt/microfocus/DemoCA/openssl or
$COBSSL (if set) (UNIX) by default.
Internet Explorer requires X509 certificates, in DER format, so only those are listed in the
File Open field, and not the PEM format files. Mozilla Firefox can handle several types, so several are listed and you can install the PEM-format certificate.
- In Internet Explorer, use the
Browse button to enter
Trusted Root Certification Authorities in the Certificate Store field.
In Mozilla Firefox, check
Trust this CA to identify Web sites.
- Look down the list under
Trusted Root Certification Authorities (for Internet Explorer) and
Authorities (for Firefox). You'll see your Demo CA is now listed; look for its Common Name. If when you installed Micro Focus Security Pack you chose to use your computer DNS name as the DemoCA's Common Name, it will probably look an odd-one-out, because real CAs tend to give themselves user-friendly Common Names.