root certificate : Java Glossary


root certificate
Introduction Why Are There Intermediate Certificates?
Why You need to Install Root Certificates Root Certificate Sources
Importing Code-Signing and SSL Certificates Built-in Certificates
How to Import Root certificates Into Various Browsers Viewing Which Certificates Are Installed
Caveat Links


You need the latest and greatest root certificates from the various signing authorities installed in your cacerts. file and in your browser. With them you can validate the public keys of certificates issued by that authority. The easiest way to do that is to use the latest Java JRE and also go to your browser vendor site and get the latest version of your browser, which will naturally include the latest root certificates. Happily most browsers come with extensive lists of root certificates built-in. Every new version of the browser automatically updates the list. The Chinese refer to them as self-signed certificates. To an American programmer, a self-signed certificate refers to a phony code-signing certificate.

Why You need to Install Root Certificates

If you don’t have the corresponding signing authority root certificate in your browser, your browser will treat SSL (Secure Sockets Layer) https websites and Applets signed with expensive certificates with the same disdain it treats self-signed phony ones.

When a company such as Thawte or Verisign issues a digital certificate for SSL or code signing, they digitally sign it with their own master private key certificate. To verify that the certificates that they issue are valid, you need a copy of the issuing authority’s public key in your browser for SSL (or in your cacerts. file for signed Applets or Java Web Start). The process of installing these public keys is called downloading root certificates or installing certificate authorities.

Importing Code-Signing and SSL Root Certificates

To install code signing authorities, download the certificate and read up on how to use keytool.exe to import it into you cacerts. file. For Java’s use, you must import the root certificates into all your cacerts. files with keytool. You can always export certificates from one browser and import into another rather that trying to update directly.

With modern JRE (Java Runtime Environment) s, it is most important to get the JREs (Java Runtime Environments) updated with the recent root certs, then secondarily the browser.

Here is how I import code signing and SSL root certificates into all my cacerts files.

How to Import Root certificates Into Various Browsers

Often all you need do install a certificate is click the link and the root certificate will automatically install into your browser.

Usually you download the certificate then install it from disk, especially Java. Some vendors do not provide downloadable certificates. They just display the base64 contents. You must collect those ASCII (American Standard Code for Information Interchange) characters, prune them, and put them in an 8-bit file.

How To Update Root Signing Authority Certificates
Last revised/verified: 2008-01-23
Logo Browser What To Do
Get Java Java You download the root certificate then import it into both your JRE and JDK (Java Development Kit) with: Where "C:\temp\Thawte Code Signing CA.cer" is the name of the root certificate you are importing. The default password for cacerts. is changeit (changeme on the Mac).
Chrome logo Chrome
  1. Download the root certificate to hard disk.
  2. Click on the options icon Chrome options icon in the upper right corner.
  3. Click Settings.
  4. Click Show Advanced Settings at the bottom.
  5. Under HTTPS/SSL click Manage Certificates.
  6. Click import.
  7. Follow your nose.
Opera logo Opera

Just click on the certificate reference to download and import it, or click File ⇒ Open.

Alternatively, Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates ⇒ import. To see what root certificates are installed Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates.

Firefox logo Firefox

Just click on the certificate reference to download and import it, or click File ⇒ Open.

Alternatively, click Tools ⇒ Options ⇒ Advanced ⇒ Encryption ⇒ View Certificates ⇒ import .

SeaMonkey logo SeaMonkey

Just click on the certificate reference to download and import it, or click File ⇒ Open.

Alternatively, click Edit ⇒ Preferences ⇒ Privacy & Security ⇒ Certificates ⇒ Manage Certificates ⇒ import .

Internet Explorer 11 IE 11
  1. Download the root certificate to hard disk.
  2. Click on the options gear icon IE options icon in the upper right corner.
  3. Click Internet Options.
  4. Click Content.
  5. Certificates.
  6. Click import.
  7. Follow your nose.
Internet Explorer 7 IE 7

Download each certificate, then click file ⇒ open.

To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities.

Internet Explorer 6 IE 6

Download each certificate, then click file ⇒ open.

To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities.

Safari logo Safari

Click start ⇒ Control Panel ⇒ network ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities ⇒ import .


Be very careful to get the root certificate direct from the original certificate authority, or perhaps from Microsoft or your OS/browser vendor. It could have been tampered with if you pick it up anywhere else.
Use Chrome, not Firefox to collect root certificates. Firefox automatically installs them in Firefox without giving you the option of saving them on disk to install in Java.

Modern certificates are 2048 bits. They use TLS (Transport Layer Security) 1.2 protocol. They use SHA-256 or SHA-386. SHA-1 (Secure Hash Algorithm 1) is completely obsolete.

Don’t use Firefox if you are trying to collect root certificates to import into Java. It refuses to download certs. It automatically imports them into Firefox.

Why Are There Intermediate Certificates?

Everything depends on keeping the private key of the root certificate completely secret. You want to lock it in a vault. If somebody buys a certificate, you would need to take the root certificate out of the vault to sign it. That would expose it. If you use an intermediate certificate, you can keep the root locked up. Why use multiple intermediate certificates? If one of the intermediates is compromised, only some of your customers are compromised. You can recover with less embarrassment.

Root Certificate Sources

Here is where you can get various root certificates. Some of the most common ones are not listed here, since they come built-in. To find out which roots you need to support a given SSL certificate, look at the certificate chain display that Chrome will give you. When I can’t find the root cert, have tried exporting it from the chain. However, when I try to use such a cert, I get a handshake alert: unrecognized_name

Installing Root Certificate
Source Notes
A-Trust In German.
AAAServices Associated with Comodo.
AC Raiz Aka Certicamára. In Spanish.
ACEdicom aka Edicom, aka CAEDICOM. In Spanish.
ACNLB In Slovenian.
Actalis Site is mostly in Italian. roots Last revised/verified: 2009-08-09
AddTrust Hosted on the InstantSSL website. AddTrust, InstantSSL and Comodo appear to be sister companies. AddTrustClass1CARoot AddTrustExternalCARoot
Amazon Trust Use StarField root. This is Amazon the online bookseller.
ANCERT In Spanish.
ASP Association of Shareware Professionals, the PAD (Portable Application Description) people. They have a list of root certificates used for signing PAD files, including ASP (Association of Shareware Professionals) itself.
Bit Admin In German.
Cacert Have certs in PEM (Privacy Enhanced Mail), DER (Distinguished Encoding Rules) and TXT form, interesting if you are curious about what is inside a cert. Also have GPG cert. Australian. Issue free certs.
CalNet Need CalNet id.
Camerafirma Spanish.
CanadaEmails secure email
Certigna Aka Dhimyotis
Certipost Belgian government
Certum Have many kinds of cert, including Java signing.
CFCA China Financial Certification Authority
Chambers of Commerce Aka Chambersign. From Camerafirma
CheapSSLs sell Comodo, Geotrust, Verisign at a discount.
Chunghwa Chinese Telecom
China Internet Aka CNNIC. Google and Mozilla are having a fight with these people, and have pulled root certificates. With China, technical and political disputes blur.
Cloud Flare
Comodo Comodo roots. Uses Addtrust External CA Root and COMODO High-Assurance Secure Server CA Root. ComodoCertificationAuthority SecureCertificateServices TrustedCertificateServices. Aka UserTrust. Provide certs to GoDaddy and KSoftware.
Correo Uruguayo Uruguayan post office.
Cren non-profit
Cybertrust bought out by DigiTrust
Dartmouth University background
Deutsche Bank
Deutsche Telecom Aka Deutsche Telesec
Digicert There is a link so you test to see if you already have the certificates installed before bothering with downloading them. Logitech use them.
Digicert Malaysia
Digidentity Dutch. Amusingly, you need their root cert installed before you can get their root certs.
Disig Slovakia
DOD (Department Of Defence) Use IE to download the cert collections then import them by double clicking each one. Opera complains the chains don’t work.
DST See IdenTrust
D-TRUST German
E-ME This is the post office in Latvia. The roots must be in there somewhere, but you would need to speak Latvian to find them. Google translate does not touch text embedded in images.
ECE Engineering, University of BC, Vancouver, BC, Canada
Entilidad Certificadora Comun do Estado Aka ecce. Aka ceger. Government of Portugual.
Entrust Can download the set at once.
eSignTrust Aka Post office of Macao
e-sizgno Aka Microsec. Hungary.
E-tugra Aka EBG Elektronik. Microsoft pulled these certs.
Fabrica Nacional Aka FNMT. Aka Fábrica Nacional de Moneda y Timbre (Royal Mint)
Federal Common Policy Aka FPKI. US government
Gandi Note gandi not gandhi. Also cross signed roots for browsers without the Gandi root. Download the intermediate (root) certs).
GeoTrust include Equifax roots. Additional GeoTrust certs
GlobalSign intermediate roots GlobalSign organisational intermediate roots Globalsign CloudSSL roots Globalsign AlphaSSL
GlobalTrust In German
GoDaddy handle Valicert and other GoDaddy/StarField certs. The cross certificate lets you handle both SHA-1 and SHA-2.
Google cross-signed by GeoTrust Global CA
Government Of India
GPKI Taiwan Taiwan government
Harvard University I searched and searched but could not find it. They ignored my email.
Halcom Serbia.
Harica Aka Hellenic Academy.
Hong Kong Post
I.CA Czech Republic
IGC/A Aka government of France
IdenTrust Aka DST. Also TrustID root
InCommon Handles issuing certificates for various universities
InstantSSL Aka Comodo
Izenpe In Spain.
Keynectis See Idnomic
KISA Korea Information Security Agency. In Korean.
LawTrust Zambia
Let’s Encrypt Aka Internet Security Research Group (ISRG). Free. You also need some IdenTrust roots. Why Let’s Encrypt certs are valid for only 90 days
Microsoft For W7-32, W7-64, W8-32, W8-64, W2012, W10-32 and W10-64 Microsoft root certificate updates are part of the Windows Update you trigger in the control panelSystem and SecurityWindows Update. You can download the roots manually in earlier OS (Operating System)es from Comodo.
M.I.T. Students also get personal certificates.
NetLock Hungary.
Network Solutions
OATI webcares Issue free SSL certs
Opera These are not root certificates that Opera issues, but rather root certificates Opera has collected from certificate authorities that are not included in the distribution, but which they recommend for inclusion if needed. Use the 03 folder. The 02 is an older format. You could add them to any browser.
PositiveSSL Yet another Comodo brand of economy SSL certs. There are three roots to install linked from this page of instructions on installing purchased certificates. Look for the phrase the support section of the website here.
PostSignum In Czech Republic
POŠTARCA In Slovenia.
Quo Vadis
RapidSSL They need some Geotrust roots.
SAPO Aka Trust Centre. Run by the South Africa post office.
SecureServer SSL Starfield certificate roots.
Sertifikati Telo Pošte In Serbia.
Sigen-ca In Slovenia.
Signet-ca In Slovenia.
Sigov-ca Slovenian government.
SITHS Aka Inera. In Sweden.
Sonera Aka Teliasonera
Stanford University
Starfield For the Starfield free timestamp server and SSL certificate roots.
StartSSL For StartSSL and StartCom SSL cerificates. SSL certs are free for non-commercial use. Used by Handbrake. Israeli company. Certs not included in Java.
Swiss Government Aka BIT (Binary digit). In German
Symantec Verisign Verisign bought out Thawte, then Symantec bought out Verisign. Yuch! This is never good for consumers. Code-signing and SSL. You can also download a bundle of Verisign, Thawte and Geotrust certificates. Just unzip and open the *.cer files. You can also verify the certificate fingerprints.
Thawte Download the certs, the rename to chop of the *.txt extension.
Szfir Aka Elektronicznypodpis. In Poland.
Telesec In Germany.
Thawte Even though Verisign bought Thawte and Symantec bought Verisign, Thawte is still doing business under its own name. They do both SSL and code-signing certificates.
TMCA Aka Telekom Malaysia Certification Authority. Aka Telekom Applied Business. You can download about 40 different root certificates.
TrustWave Aka Secure Global. Certificates as ASCII text. Revocation lists in a form not acceptable to Opera.
Tubitak Aka Kamu Sertifikasion Merkazi. Aka Kamusm. In Turkey.
Turk Trust Aka Tarktrust. Aka Elektronik Sertifika Hizmet Saglayicisi. Aka E-Guven Kok Elektronik. Page in Turkish, will need Chrome.
TWCA Aka Taiwan Certificate Authority. In Taiwan.
UCLA computer science
University of BC Computer Science
University of BC Engineering
University of Connecticut
University of Maryland
Microsoft for Windows Mobile cellphones
University of Washington
US Military Primarily for military personnel with CAC (Common Access Card) cards.
UWO University of Western Ontario, London, Ontario, Canada
UTN UTN-DATACorpSGC UTN-USERFirst-ClientAuthenticationandEmail UTN-USERFirst-Hardware UTN-USERFirst-Object Associated with Comodo. Aka UserTrust.
Virginia Tech
VRK Aka Eevertti. In Finnish.

I composed the above table by first printing a list of certificates supported by Google Chrome. Then I used Google Chrome and Google to search for name-of-cert root certificates. Google Translate let me read pages from foreign countries. Sometimes I would read the debates about adding (or removing) a certificate to Windows or a browser. In there sometimes was the URL (Uniform Resource Locator) of the website. I never included copies of certificates in repositories. I have no way of knowing if they are valid. Repositories should always reference the original URL, not just serve a local copy unless the original no longer exists. I am not trying to track individual certificates, just the web pages where you can download the originals.

Built-in Certificates

You might wonder what determines which root certificates get factory-installed into which browsers. If you are a certificate-issuing company, you will have a heck of a time selling your certificates if the visitors to your site must first manually install a root certificate. They may not be technically competent. They may be unwilling to take the security risk.

Browser makers want to include as few certificates as possible because each one chews up RAM (Random Access Memory). They don’t want to include root certificates from fly-by-night or careless certificate issuers. That leaves their users vulnerable.

Certificate issuers want there to be large numbers of their root certificates pre-installed. If anyone is compromised, that limits the damage.

Large certificate issuers want the small competition squashed by being frozen out of the game.

Small certificate issuers want everyone included so they can compete on a level playing field.

End users just want to be able to read the websites, so they would be happiest if nearly all root certificates were pre-installed.

The situation is ripe for corruption. Certificate issuers have the temptation to offer bribes to get their roots in and their competitors excluded.

We as end users should be pressuring browser-makers to include/exclude worthy/unworthy roots. We as end users can always use a different browser with a different set of built-in roots.

RFE (Request For Enhancement)

It a huge amount of work to track down the root certificates associated with a certificate. I think the following should be embedded in every certificate:

Viewing Which Certificates Are Installed

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number