Installing a CA Root Certificate in a Client Browser

Restriction: This topic applies only when the Enterprise Server feature is enabled.

The root certificates of well-known trusted CAs are often installed with the client browser, so you might not need to install any. The security policy in your organization might restrict your access to the Web and might have removed the trusted CA root certificates. In this case you need to install root certificates for the CAs that signed the server certificates of the servers you need to communicate with securely.

Note: The root certificate for the demonstration CA is not pre-installed, and so you need to install this certificate to enable you to use the demonstration CA.

CA root certificates can be specified as any of the following:

A single file containing a single certificate.
A single file containing multiple certificates. This file defines your trusted CAs (plus their chains if appropriate).
A directory containing PEM files that each contain a single certificate. These files are named with the hash value of the certificate content, using the hash.0 format. For example, you can display this hash value, using the command:
```
openssl X509 -hash -in CARootcert.pem
```
This produces the following output:
```
1a584193 
----BEGIN CERTIFICATE 
....
```
Where:
- The number that is displayed before the certificate is the hash value of the certificate.
- The filename of the certificate would be 1a584193.0

To install a CA root certificate:

In your browser, go to the options where you manage certificates. For example:
- In Internet Explorer, click Tools > Internet Options > Content > Certificates. Go to the Trusted Root Certification Authorities tab.
- In Mozilla Firefox, click Tools > Options > Advanced. Scroll down, click Manage Certificates and then click Authorities.
Click Import and select the CA's root certificate.
For the demonstration, select the self-signed certificate CARootCert.cer, which is in the private subdirectory of /opt/microfocus/DemoCA or $COBSSL (if set) by default.

Internet Explorer requires certificates in DER format, so only those are listed in the File Open field, and not the PEM format files. Mozilla Firefox can handle several types, so several are listed and you can install the PEM-format certificate.
In Internet Explorer, use the Browse button to enter Trusted Root Certification Authorities in the Certificate Store field.
In Mozilla Firefox, check Trust this CA to identify Web sites.
Look down the list under Trusted Root Certification Authorities (for Internet Explorer) and Authorities (for Firefox). You'll see your Demo CA is now listed; look for its Common Name. If when you installed Micro Focus Security Pack you chose to use your computer DNS name as the DemoCA's Common Name, it will probably look an odd-one-out, because real CAs tend to give themselves user-friendly Common Names.