Install CA Certificates

From Exterior Memory
Jump to: navigation, search
It has been suggested that this page or section be merged with Add Root Certificates to KeyChain.

If you visit a HTTPS website, you will get a warning unless the web certificate is signed by a trusted authority.

Well known Certificate Authorities

There are many certificate authorities, and you must decide for yourself if you want to trust them or not.

By default, the Firefox webbrowser contains most well known certificate authorities.

The following is a list of some CA's that I

Commercial CA

  • Symantec (including: Verisign, Thawte)
  • Comodo
  • GlobalSign
  • Entrust
  • Startcom

GoDaddy is another big one, but I would not do business with them: they have too many controversies on their hand, even though they were on the 'good side' with their opposition to Verisign's idiotic Site Finder

Educational and Academic CA

Official CA

Open Source CA

Let's encrypt is currently (june 2015) not active.

CAcert if the only free-of-charge certificate authority, but has not yet passed an audit, and is therefor not yet included in most browsers or operating systems.

A good alternative is StartSSL by Startcom, which only charges for validations, not for the actual certificates. In particular, they do not charge for automatic certification of domains and class 1 certificates for those domains.

Self-Signed Certificates

Since most CA charge a certain amount of money, it is common practice to create self-signed certificates, thus creating a certificate authority on the fly.

Download Certificates

There is no common procedure to reliably download certificates.

  • You can trust the certificates that came with your operating system;
  • You can visit the website of a certificate authority and download it's root certificate;
  • You can visit a representative of an certificate authority in person;
  • You can visit a HTTP website, and use openssl to download the embedded certificate.

Note that all these cases are vulnerable to man-in-the-middle attacks. What if you Google for "Verisign" and download the first certificate you find. How do you know that you really downloaded Verisign's certificate instead of one from a website of an adversary?

Download Embedded Certificates

In order to download a certificate using openssl, do as follows:

echo "" | openssl s_client -showcerts -connect

Select the block you want to store, e.g.:


You can then read this file:

openssl x509 -noout -text -in storedcertificate.pem

Be sure to store the correct certificate. If you directly pipe your result, you get the client certificate:

% echo "" | openssl s_client -connect | openssl x509 -noout -subject -issuer
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/
issuer= /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

Typically, you will want to store the last certificate where the subject and issuer are equal (the root certificate). The openssl -showcerts option displays all certificates in the chain. Be aware that most servers do not return the root certificate in the certificate chain, so you often need to find another method to download the root certificate.

Install Certificates

If you downloaded a certificate, here is where to install it:

Mac OS X, including Safari

Mac OS X installs certificates in the KeyChain at /System/Library/Keychains/X509Anchors. You should not add certificates here, as this KeyChain can be overwritten during software updates.

Instead, install it in the KeyChain at /Library/Keychains/System.


Install certificates in the Certificate Manager, which can be access through Preferences > Advanced > Encryption > View Certificates.


If you visit a webpage with a certificate signed by an untrusted CA, you get this error:

error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing

Curl uses certificates stored in the file curl-ca-bundle.crt. The location differs per distribution. MacPorts stores the files in /opt/local/share/curl/.

You can simply append an exisiting certificate to this file.

For example, to add the CAcert certificate to the MacPorts-installed curl:

cat root.crt class3.crt >> /opt/local/share/curl/curl-ca-bundle.crt

Note that the curl-ca-bundle.crt gets overwriten if you update the curl-ca-bundle package. For Debian, any certificate file in the /usr/local/share/ca-certificate directory will be automatically trusted:

mv root.crt /usr/local/share/ca-certificate/


Git uses the curl library. The http.sslcainfo configuration option specifies which certificate file to use:

git config --global http.sslcainfo /opt/local/share/curl/curl-ca-bundle.crt


Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time. However, it is unclear where that is.

This article is unfinished.