Mac OS X

OS X offers the installation of certificates via a gui interface or via the commandline. We will discuss both methods. We assume you have stored the root certificate on your file system.

Keychain GUI

Double click on the certificate file. The key manager programm will start and it will show you the certificate. Check the validity of the certificate.

Install root CA pem file on OS X

Validate root CA PEM on OS X

In case you trust the certificate you can add it to your operating system. Add it on system level, OS X will ask for your administrator password. When you have added the certificate to your trust chain, OS X will trust the root CA’s signed certificates.

Add root CA PEM to OS X

Enter your administator password.

Enter your administrator password

Add the root authority pem as trusted root certificate to your system.

Trust added root authority PEM

Enable system-wide trust of your root certificate

Trust rules enabled

Re-open the root PEM certificate in the key manager. You will notice it is now trusted by OS X.

Verify root CA has been trusted

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <new-root-certificate>

sudo security delete-certificate -c "<name of existing certificate>"

iPhone, iPad (IOS)

Installing a certificate on an IOS device, such as the iPhone or iPad, is a couple of a few clicks. To get the certificate on the IOS device, you can either mail the certificate file or provide it via a webserver. After you have downloaded the certificate to the IOS device, click on it. It opens the following screen.

IOS open certificate

After you have validated that the certificate is indeed the one you want to trust, press the install button.

IOS trust new certificate

IOS will show you a warning if you are really sure. The reason of the warning is obvious, if you trust a certificate, it will be possible to perform man-in-the-middle attacks using that certificate. So, you want to be really sure it is your root certificate. Click on the install and you will see the final screen that the certificate has been trusted.

IOS certificate installed

Windows

Make sure you have the Administrator role or group membership.

You need to perform the following steps to add certificates to the Trusted Root Certification Authorities store for a local computer:

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, and then click Add.
4. Under This snap-in will always manage certificates for, click Computer account, and then click Next.
5. Click Local computer, and click Finish.
6. If you have no more snap-ins to add to the console, click OK.
7. In the console tree, double-click Certificates.
8. Right-click the Trusted Root Certification Authorities store.
9. Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

After these steps, validate that your root certificate has been added by visiting a site using a signed certificate or your root CA.

Chrome

Depending on the operating system, Chrome is using the system wide certificates or the certificates of its own scope. In case it uses its own certificates you can add a root certificate to chrome by executing the following steps.

Open the browser and go to the settings page.

Chrome open settings page

Go to the advanced settings page, and click on the certificates view.

Chrome click on advanced settings and go to certificates

Within the certificates, you need to add the certificate as an authority. Go to the right tab and click the import button.

Chrome click on authorities and press import button

Select the root certificate as generated by BounCA.

Chrome select the root certificate file

Add the certificate and select the trust levels of it.

Chrome add the certificate and select trust rules

After clicking OK, you will notice the root authority has been added to the authorities list. This means that all certificates signed by this root CA or its intermediate authorities are trusted by Chrome.

Chrome certificate is added to authorities list

You may inspect the certificate by pressing the view button, and check if this is the trusted certificate. In case you don’t trust the certificate you can also delete it again.

Chrome inspect the certificate by clicking on the view button

The installation is sucessfull. When you visit a website using server certificates signed by the private root authority, you will see it has a green lock and the connection is trusted.

Chrome visit self-signed website and verify it is trusted

Firefox

Firefox manages its own trusted certificate list, so you always need to add the root authority certificate to the browser even if you have installed it system wide. To add the certificate to Firefox execute the following steps.

Open Firefox and go to the settings page.

Firefox open settings page

Go to the advanced settings page, and click on the certificates view.

Firefox click on advanced settings and go to certificates view

Within the certificates, you need to add the certificate as an authority. Go to the right tab and click the import button.

Firefox import the root certificate

Select the root certificate as generated by BounCA.

Firefox select the root certificate file

Add the certificate and select the trust levels of it.

Firefox select trust rules

After clicking OK, you will notice the root authority has been added to the authorities list. This means that all certificates signed by this root CA or its intermediate authorities are trusted by Chrome.

Firefox certificate is added to authorities list

You may inspect the certificate by pressing the view button, and check if this is the trusted certificate. In case you don’t trust the certificate you can also delete it again.

Firefox inspect the certificate by clicking on the view button

The installation is sucessfull. When you visit a website using server certificates signed by the private root authority, you will see it has a green lock and the connection is trusted.

Firefox visit self-signed website and verify it is trusted

Linux Ubuntu/Debian

Ubuntu/Debian allows you to install extra root certificates via the /usr/local/share/ca-certificates directory. To install your own root authority certificate copy your root certificate to /usr/local/share/ca-certificates. Make sure the file has the .crt extension. so rename it when necessary.

After you copied your certificate to the /usr/local/share/ca-certificates folder you need to refresh the installed certificates and hashes. Within ubuntu/debian you can perform this action via one command:

sudo update-ca-certificates

You will notice that the command reports it has installed one (or more) new certificate. The certificate has been added to the Operating System and signed certificates will be trusted.

To remove the certificate, just remove it from /usr/local/share/ca-certificates and run

sudo update-ca-certificates --fresh

Linux Red Hat / CentOS

The installation of a root certificate on Red Hat or CentOS depends on the release. We discuss release 6 and 5 in this section Red Hat and CentOS

yum install ca-certificates

update-ca-trust force-enable

cp rootca.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust extract

cat rootca.crt >> /etc/pki/tls/certs/ca-bundle.crt

FreeBSD

FreeBSD doesn’t offer a centralized root certificate manager. If you want to add a root authority you can add it directly to the certificates managed by OpenSSL. This depends on your configuration and is for now out of the scope of this guide.