root certificate : Java Glossary

root certificate

You need the latest and greatest root CA (Certificate Authority) certificates from the various signing authorities installed in your cacerts. file and in your browser. With them you can validate the public keys of certificates issued by that authority. The easiest way to do that is to use the latest Java JRE and also go to your browser vendor site and get the latest version of your browser, which will naturally include the latest root certificates. Happily most browsers come with extensive lists of root certificates built-in. Every new version of the browser automatically updates the list.

Why You need to Install Root Certificates	Caveat
Importing Code-Signing Root Certificates	Sources of Root Certificates
How to Import Root certificates Into Various Browsers	Links

Why You need to Install Root Certificates

If you don’t have the corresponding signing authority root certificate in your browser, your browser will treat SSL (Secure Sockets Layer) https websites and Applets signed with expensive certificates with the same disdain it treats self-signed phony ones.

When a company such as Thawte or Verisign issues a digital certificate for SSL or code signing, they digitally sign it with their own master private key certificate. To verify that the certificates that they issue are valid, you need a copy of the issuing authority’s public key in your browser for SSL (or in your cacerts. file for signed Applets or Java Web Start). The process of installing these public keys is called downloading root certificates or installing certificate authorities.

Importing Code-Signing Root Certificates

To install code signing authorities, download the certificate and read up on how to use keytool.exe to import it into you cacerts. file. For Java’s use, you must import the root certificates into all your cacerts. files with keytool.

You can always export certificates from one browser and import into another rather that trying to update directly.

With modern JRE (Java Runtime Environment) s, it is most important to get the JREs updated with the recent root certs, then secondarily the browser.

How to Import Root certificates Into Various Browsers

Often all you need do install a certificate is click the link and the root certificate will automatically install into your browser.

How To Update Root Signing Authority Certificates
Last revised/verified: 2008-01-23
Logo	Browser	What To Do
	Java	You download the root certificate then import it into both your JRE and JDK (Java Development Kit) with: Where C:\temp\Thawte Code Signing CA.cer is the name of the root certificate you are importing. The default password for cacerts. is changeit.
	Opera	Just click on the certificate reference to download and import it, or click File ⇒ Open. Alternatively, Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates ⇒ import. To see what root certificates are installed Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates.
	Firefox	Just click on the certificate reference to download and import it, or click File ⇒ Open. Alternatively, click Tools ⇒ Options ⇒ Advanced ⇒ Encryption ⇒ View Certificates ⇒ import .
	SeaMonkey	Just click on the certificate reference to download and import it, or click File ⇒ Open. Alternatively, click Edit ⇒ Preferences ⇒ Privacy & Security ⇒ Certificates ⇒ Manage Certificates ⇒ import .
	IE 7	Download each certificate, then click file ⇒ open. To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities.
	IE 6	Download each certificate, then click file ⇒ open. To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities.
	Safari	Click start ⇒ Control Panel ⇒ network ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities ⇒ import .

Caveat

Be very careful to get the root certificate direct from the original certificate authority, or perhaps from Microsoft or your OS/browser vendor. It could have been tampered with if you pick it up anywhere else.

Sources of Root Certificates

Here is where you can get various root certificates. Some of the most common ones are not listed here, since they come built-in.

Installing Root Certificate
Source	Notes
Actalis	Site is mostly in Italian. roots Last revised/verified: 2009-08-09
AdTrust	Hosted on the InstantSSL website. AddTrust, InstantSSL and Comodo appear to be sister companies.
Aegis
Aloaha	For the Aloaha free timestamp server.
ASP	Association of Shareware Professionals, the PAD (Portable Application Description) people. They have a list of root certificates used for signing PAD files, including ASP (Association of Shareware Professionals) itself.
CalNet	University of Berkeley. Need CalNet id.
Cacert	Have certs in PEM (Privacy Enhanced Mail), DER (Distinguished Encoding Rules) and TXT form, interesting if you are curious about what is inside a cert. Also have GPG cert. Australian. Issue free certs.
Certum	Have many kinds of cert, including Java signing.
CanadaEmails	secure email
Cren	non-profit
Deutsche Bank
Digicert	There is a link so you test to see if you already have the certificates installed before bothering with downloading them.
Digicert Malysia
ECE	Engineering, University of BC, Vancouver, BC, Canada
Entrust
GeoTrust	include Equifax roots.
GlobalSign
GoDaddy	handle Valicert and other GoDaddy/StarField certs.
Harvard University	I searched and searched but could not find it. They ignored my email.
IdentTrust
InstantSSL	aka Comodo
Microsoft	For W98/Me/NT/W2K/XP/W2003/Vista/W7-32/W7-64 Microsoft root certificate updates are part of the Windows Update you trigger in the control panel ⇒ System and Security ⇒ Windows Update.
RapidSSL
Sprint	for cell phones
RSA	They must be somewhere on the website, but I can’t find them. If you find them, please tell me the URL (Uniform Resource Locator).
Starfield	For the Starfield free timestamp server, and SSL certificate roots.
SwissSign
Thawte	You can download a complete zipped collection of Thawte root certificates in three different wrapping styles.Java version 1.5 beta inadvertently left out the root Thawte code signing root certificate. You need to import it into all the cacerts. files on machines using your cert.
Trustcenter.de	You can download about 40 different root certificates.
TrustWave	Certificates as ASCII (American Standard Code for Information Interchange) text. Revocation lists in a form not acceptable to Opera.
University of Connecticutt
University of Darthmouth
University of Maryland
Usher	Handles issuing certifaces for various universities
Verisign	code-signing and SSL. You can also download a bundle of Verisign, Thawte and Geotrust certificates. Just unzip and open the *.cer files. You can also verify the certificate fingerprints.
Verison	for Windows Mobile cell phones
UWO	University of Western Ontario, London, Ontario, Canada
Virginia Tech
WebMoney

certificate vendors
digital certificate
Getting Your Root Cert into Opera
How to import certs programmatically under various OSes
Java Web Start
List of root certificates that Google Checkout supports
signed Applet
Thawte
Verisign
viewing/editing certificates in Vista

	You can get the freshest copy of this page from:	or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
	http://mindprod.com/jgloss/rootcertificate.html	J:\mindprod\jgloss\rootcertificate.html
	Please email your feedback for publication, letters to the editor, errors, omissions, typos, formatting errors, ambiguities, unclear wording, broken/redirected link reports, suggestions to improve this page or comments to Roedy Green : If you want your message kept confidential, not considered for posting, please explicitly specify that.
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
view Blog	Your face IP:[38.107.179.210]
Feedback	You are visitor number 11.