You need the latest and greatest root certificates from the various signing authorities installed in your cacerts. file and in your browser. With them you can validate the public keys of certificates issued by that authority. The easiest way to do that is to use the latest Java JRE and also go to your browser vendor site and get the latest version of your browser, which will naturally include the latest root certificates. Happily most browsers come with extensive lists of root certificates built-in. Every new version of the browser automatically updates the list. The Chinese refer to them as self-signed certificates. To an American programmer, a self-signed certificate refers to a phony code-signing certificate.
When a company such as Thawte or Verisign issues a digital certificate for SSL or code signing, they digitally sign it with their own master private key certificate. To verify that the certificates that they issue are valid, you need a copy of the issuing authority’s public key in your browser for SSL (or in your cacerts. file for signed Applets or Java Web Start). The process of installing these public keys is called downloading root certificates or installing certificate authorities.
With modern JRE (Java Runtime Environment) s, it is most important to get the JREs (Java Runtime Environments) updated with the recent root certs, then secondarily the browser.
Here is how I import code signing and SSL root certificates into all my cacerts files.
Often all you need do install a certificate is click the link and the root certificate will automatically install into your browser.
Usually you download the certificate then install it from disk, especially Java. Some vendors do not provide downloadable certificates. They just display the base64 contents. You must collect those ASCII (American Standard Code for Information Interchange) characters, prune them, and put them in an 8-bit file.
How To Update Root Signing Authority Certificates | ||
---|---|---|
Last revised/verified: 2008-01-23 | ||
Logo | Browser | What To Do |
Java | You download the root certificate then import it into both your JRE and JDK (Java Development Kit) with: Where "C:\temp\Thawte Code Signing CA.cer" is the name of the root certificate you are importing. The default password for cacerts. is changeit (changeme on the Mac). | |
Chrome |
| |
Opera | Just click on the certificate reference to download and import it, or click File ⇒ Open. Alternatively, Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates ⇒ import. To see what root certificates are installed Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates. | |
Firefox | Just click on the certificate reference to download and import it, or click File ⇒ Open. Alternatively, click Tools ⇒ Options ⇒ Advanced ⇒ Encryption ⇒ View Certificates ⇒ import . | |
SeaMonkey | Just click on the certificate reference to download and import it, or click File ⇒ Open. Alternatively, click Edit ⇒ Preferences ⇒ Privacy & Security ⇒ Certificates ⇒ Manage Certificates ⇒ import . | |
IE 11 |
| |
IE 7 | Download each certificate, then click file ⇒ open. To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities. | |
IE 6 | Download each certificate, then click file ⇒ open. To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities. | |
Safari | Click start ⇒ Control Panel ⇒ network ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities ⇒ import . |
Modern certificates are 2048 bits. They use TLS (Transport Layer Security) 1.2 protocol. They use SHA-256 or SHA-386. SHA-1 (Secure Hash Algorithm 1) is completely obsolete.
Don’t use Firefox if you are trying to collect root certificates to import into Java. It refuses to download certs. It automatically imports them into Firefox.
Everything depends on keeping the private key of the root certificate completely secret. You want to lock it in a vault. If somebody buys a certificate, you would need to take the root certificate out of the vault to sign it. That would expose it. If you use an intermediate certificate, you can keep the root locked up. Why use multiple intermediate certificates? If one of the intermediates is compromised, only some of your customers are compromised. You can recover with less embarrassment.
Here is where you can get various root certificates. Some of the most common ones are not listed here, since they come built-in. To find out which roots you need to support a given SSL certificate, look at the certificate chain display that Chrome will give you. When I can’t find the root cert, have tried exporting it from the chain. However, when I try to use such a cert, I get a handshake alert: unrecognized_name
Installing Root Certificate | |
---|---|
Source | Notes |
A-Trust | In German. |
AAAServices | Associated with Comodo. |
AC Raiz | Aka Certicamára. In Spanish. |
ACEdicom aka Edicom, aka CAEDICOM. | In Spanish. |
ACNLB | In Slovenian. |
Actalis | Site is mostly in Italian. roots Last revised/verified: 2009-08-09 |
AddTrust | Hosted on the InstantSSL website. AddTrust, InstantSSL and Comodo appear to be sister companies. AddTrustClass1CARoot AddTrustExternalCARoot |
Aegis | |
AlphaSSL | |
Amazon Trust | Use StarField root. This is Amazon the online bookseller. |
ANCERT | In Spanish. |
ASP | Association of Shareware Professionals, the PAD (Portable Application Description) people. They have a list of root certificates used for signing PAD files, including ASP (Association of Shareware Professionals) itself. |
Bit Admin | In German. |
BuyPass | |
Cacert | Have certs in PEM (Privacy Enhanced Mail), DER (Distinguished Encoding Rules) and TXT form, interesting if you are curious about what is inside a cert. Also have GPG cert. Australian. Issue free certs. |
CalNet | Need CalNet id. |
Camerafirma | Spanish. |
CanadaEmails | secure email |
CertEurope | |
Certigna | Aka Dhimyotis |
Certinomis | |
CertPlus | |
Certipost | Belgian government |
Certsign | |
Certum | Have many kinds of cert, including Java signing. |
CFCA | China Financial Certification Authority |
Chambers of Commerce | Aka Chambersign. From Camerafirma |
CheapSSLs | sell Comodo, Geotrust, Verisign at a discount. |
Chunghwa | Chinese Telecom |
China Internet | Aka CNNIC. Google and Mozilla are having a fight with these people, and have pulled root certificates. With China, technical and political disputes blur. |
Cisco | |
Cloud Flare | |
Comodo | Comodo roots. Uses Addtrust External CA Root and COMODO High-Assurance Secure Server CA Root. ComodoCertificationAuthority SecureCertificateServices TrustedCertificateServices. Aka UserTrust. Provide certs to GoDaddy and KSoftware. |
Comsign | |
Correo Uruguayo | Uruguayan post office. |
Cren | non-profit |
Cybertrust | bought out by DigiTrust |
Dartmouth University | background |
Deutsche Bank | |
Deutsche Telecom | Aka Deutsche Telesec |
Digicert | There is a link so you test to see if you already have the certificates installed before bothering with downloading them. Logitech use them. |
Digicert Malaysia | |
Digidentity | Dutch. Amusingly, you need their root cert installed before you can get their root certs. |
Disig | Slovakia |
DOD (Department Of Defence) | Use IE to download the cert collections then import them by double clicking each one. Opera complains the chains don’t work. |
DST | See IdenTrust |
D-TRUST | German |
E-ME | This is the post office in Latvia. The roots must be in there somewhere, but you would need to speak Latvian to find them. Google translate does not touch text embedded in images. |
ECE | Engineering, University of BC, Vancouver, BC, Canada |
Echoworx | |
Entilidad Certificadora Comun do Estado | Aka ecce. Aka ceger. Government of Portugual. |
Entrust | Can download the set at once. |
eSignTrust | Aka Post office of Macao |
e-sizgno | Aka Microsec. Hungary. |
E-tugra | Aka EBG Elektronik. Microsoft pulled these certs. |
Fabrica Nacional | Aka FNMT. Aka Fábrica Nacional de Moneda y Timbre (Royal Mint) |
Federal Common Policy | Aka FPKI. US government |
Gandi | Note gandi not gandhi. Also cross signed roots for browsers without the Gandi root. Download the intermediate (root) certs). |
GeoTrust | include Equifax roots. Additional GeoTrust certs |
GlobalSign | intermediate roots GlobalSign organisational intermediate roots Globalsign CloudSSL roots Globalsign AlphaSSL |
GlobalTrust | In German |
GoDaddy | handle Valicert and other GoDaddy/StarField certs. The cross certificate lets you handle both SHA-1 and SHA-2. |
cross-signed by GeoTrust Global CA | |
Government Of India | |
GPKI Taiwan | Taiwan government |
Harvard University | I searched and searched but could not find it. They ignored my email. |
Halcom | Serbia. |
Harica | Aka Hellenic Academy. |
Hong Kong Post | |
I.CA | Czech Republic |
IGC/A | Aka government of France |
IdenTrust | Aka DST. Also TrustID root |
InCommon | Handles issuing certificates for various universities |
InstantSSL | Aka Comodo |
Izenpe | In Spain. |
Keynectis | See Idnomic |
KISA | Korea Information Security Agency. In Korean. |
LawTrust | Zambia |
LuxTrust | |
Let’s Encrypt | Aka Internet Security Research Group (ISRG). Free. You also need some IdenTrust roots. Why Let’s Encrypt certs are valid for only 90 days |
Microsoft | For W7-32, W7-64, W8-32, W8-64, W2012, W10-32 and W10-64 Microsoft root certificate updates are part of the Windows Update you trigger in the control panel ⇒ System and Security ⇒ Windows Update. You can download the roots manually in earlier OS (Operating System)es from Comodo. |
M.I.T. | Students also get personal certificates. |
NetLock | Hungary. |
Netrust | |
Network Solutions | |
OATI webcares | Issue free SSL certs |
Opera | These are not root certificates that Opera issues, but rather root certificates Opera has collected from certificate authorities that are not included in the distribution, but which they recommend for inclusion if needed. Use the 03 folder. The 02 is an older format. You could add them to any browser. |
PositiveSSL | Yet another Comodo brand of economy SSL certs. There are three roots to install linked from this page of instructions on installing purchased certificates. Look for the phrase the support section of the website here. |
PostSignum | In Czech Republic |
POŠTARCA | In Slovenia. |
Quo Vadis | |
RapidSSL | They need some Geotrust roots. |
RSA | |
SAPO | Aka Trust Centre. Run by the South Africa post office. |
SecureServer | SSL Starfield certificate roots. |
Sertifikati Telo Pošte | In Serbia. |
Sigen-ca | In Slovenia. |
Signet-ca | In Slovenia. |
Sigov-ca | Slovenian government. |
SITHS | Aka Inera. In Sweden. |
SK | |
Sonera | Aka Teliasonera |
Stanford University | |
Starfield | For the Starfield free timestamp server and SSL certificate roots. |
StartSSL | For StartSSL and StartCom SSL cerificates. SSL certs are free for non-commercial use. Used by Handbrake. Israeli company. Certs not included in Java. |
Swiss Government | Aka BIT (Binary digit). In German |
Swisscom | |
SwissSign | |
Symantec Verisign | Verisign bought out Thawte, then Symantec bought out Verisign. Yuch! This is never good for consumers. Code-signing and SSL. You can also download a bundle of Verisign, Thawte and Geotrust certificates. Just unzip and open the *.cer files. You can also verify the certificate fingerprints. |
Thawte | Download the certs, the rename to chop of the *.txt extension. |
Szfir | Aka Elektronicznypodpis. In Poland. |
Telesec | In Germany. |
Thawte | Even though Verisign bought Thawte and Symantec bought Verisign, Thawte is still doing business under its own name. They do both SSL and code-signing certificates. |
TMCA | Aka Telekom Malaysia Certification Authority. Aka Telekom Applied Business. |
Trustcenter.de | You can download about 40 different root certificates. |
TrustWave | Aka Secure Global. Certificates as ASCII text. Revocation lists in a form not acceptable to Opera. |
Tubitak | Aka Kamu Sertifikasion Merkazi. Aka Kamusm. In Turkey. |
Turk Trust | Aka Tarktrust. Aka Elektronik Sertifika Hizmet Saglayicisi. Aka E-Guven Kok Elektronik. Page in Turkish, will need Chrome. |
TWCA | Aka Taiwan Certificate Authority. In Taiwan. |
UCLA computer science | |
University of BC Computer Science | |
University of BC Engineering | |
University of Connecticut | |
University of Maryland | |
Microsoft | for Windows Mobile cellphones |
University of Washington | |
US Military | Primarily for military personnel with CAC (Common Access Card) cards. |
UWO | University of Western Ontario, London, Ontario, Canada |
UTN | UTN-DATACorpSGC UTN-USERFirst-ClientAuthenticationandEmail UTN-USERFirst-Hardware UTN-USERFirst-Object Associated with Comodo. Aka UserTrust. |
Virginia Tech | |
Visa | |
VRK | Aka Eevertti. In Finnish. |
WebMoney | |
WISeKey | Aka OISTE |
Wosign |
I composed the above table by first printing a list of certificates supported by Google Chrome. Then I used Google Chrome and Google to search for name-of-cert root certificates. Google Translate let me read pages from foreign countries. Sometimes I would read the debates about adding (or removing) a certificate to Windows or a browser. In there sometimes was the URL (Uniform Resource Locator) of the website. I never included copies of certificates in repositories. I have no way of knowing if they are valid. Repositories should always reference the original URL, not just serve a local copy unless the original no longer exists. I am not trying to track individual certificates, just the web pages where you can download the originals.
You might wonder what determines which root certificates get factory-installed into which browsers. If you are a certificate-issuing company, you will have a heck of a time selling your certificates if the visitors to your site must first manually install a root certificate. They may not be technically competent. They may be unwilling to take the security risk.
Browser makers want to include as few certificates as possible because each one chews up RAM (Random Access Memory). They don’t want to include root certificates from fly-by-night or careless certificate issuers. That leaves their users vulnerable.
Certificate issuers want there to be large numbers of their root certificates pre-installed. If anyone is compromised, that limits the damage.
Large certificate issuers want the small competition squashed by being frozen out of the game.
Small certificate issuers want everyone included so they can compete on a level playing field.
End users just want to be able to read the websites, so they would be happiest if nearly all root certificates were pre-installed.
The situation is ripe for corruption. Certificate issuers have the temptation to offer bribes to get their roots in and their competitors excluded.
We as end users should be pressuring browser-makers to include/exclude worthy/unworthy roots. We as end users can always use a different browser with a different set of built-in roots.
It a huge amount of work to track down the root certificates associated with a certificate. I think the following should be embedded in every certificate:
This page is posted |
http://mindprod.com/jgloss/rootcertificate.html | |
Optional Replicator mirror
|
J:\mindprod\jgloss\rootcertificate.html | |
Please read the feedback from other visitors,
or send your own feedback about the site. Contact Roedy. Please feel free to link to this page without explicit permission. | ||
Canadian
Mind
Products
IP:[65.110.21.43] Your face IP:[18.97.14.87] |
| |
Feedback |
You are visitor number | |