Install CA Certificates
- It has been suggested that this page or section be merged with Add Root Certificates to KeyChain.
If you visit a HTTPS website, you will get a warning unless the web certificate is signed by a trusted authority.
Well known Certificate Authorities
There are many certificate authorities, and you must decide for yourself if you want to trust them or not.
By default, the Firefox webbrowser contains most well known certificate authorities.
- AOL Time Warner
- Comodo CA
- Internet Publishing Services (IPS)
- Net Lock
- RSA Data Security
Educational and Academic CA
Open Source CA
CAcert if the only free-of-charge certificate authority, but has not yet passed an audit, and is therefor not yet included in most browsers or operating systems.
Since most CA charge a certain amount of money, it is common practice to create self-signed certificates, thus creating a certificate authority on the fly.
There is no common procedure to reliably download certificates.
- You can trust the certificates that came with your operating system;
- You can visit the website of a certificate authority and download it's root certificate;
- You can visit a representative of an certificate authority in person;
- You can visit a HTTP website, and use openssl to download the embedded certificate.
Note that all these cases are vulnerable to man-in-the-middle attacks. What if you Google for "Verisign" and download the first certificate you find. How do you know that you really downloaded Verisign's certificate instead of one from a website of an adversary?
Download Embedded Certificates
In order to download a certificate using openssl, do as follows:
echo "" | openssl s_client -showcerts -connect kwek.macfreek.nl:443
Select the block you want to store, e.g.:
-----BEGIN CERTIFICATE----- MIIEHTCCAgWgAwIBAgIDB/0+MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ gzhZylSzD2utlCjrlE4p8AGYfQyZ35sn4tLdUcvAaKYI1TFbkGYgaKcxdElMFxYg 6M4oWIsZ290s6rXdwzkfXKjOrfO1LvbhDxYE/3Q6M+A+JFxa8yLnnaChK4/EMCPW dA== -----END CERTIFICATE-----
You can then read this file:
openssl x509 -noout -text -in storedcertificate.pem
Be sure to store the correct certificate. If you directly pipe your result, you get the client certificate:
% echo "" | openssl s_client -connect www.google.com:443 | openssl x509 -noout -subject -issuer subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer= /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
Typically, you will want to store the last certificate where the subject and issuer are equal (the root certificate). The openssl -showcerts option displays all certificates in the chain. Be aware that most servers do not return the root certificate in the certificate chain, so you often need to find another method to download the root certificate.
If you downloaded a certificate, here is where to install it:
Mac OS X, including Safari
Mac OS X installs certificates in the KeyChain at /System/Library/Keychains/X509Anchors. You should not add certificates here, as this KeyChain can be overwritten during software updates.
Instead, install it in the KeyChain at /Library/Keychains/System.
Install certificates in the Certificate Manager, which can be access through Preferences > Advanced > Encryption > View Certificates.
If you visit a webpage with a certificate signed by an untrusted CA, you get this error:
error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://www.example.com/path
Curl uses certificates stored in the file curl-ca-bundle.crt. The location differs per distribution. MacPorts stores the files in /opt/local/share/curl/.
You can simply append an exisiting certificate to this file.
For example, to add the CAcert certificate to the MacPorts-installed curl:
wget http://www.cacert.org/certs/root.crt wget http://www.cacert.org/certs/class3.crt cat root.crt class3.crt >> /opt/local/share/curl/curl-ca-bundle.crt
Note that the curl-ca-bundle.crt gets overwriten if you update the curl-ca-bundle package. For Debian, any certificate file in the /usr/local/share/ca-certificate directory will be automatically trusted:
wget http://www.cacert.org/certs/root.crt mv root.crt /usr/local/share/ca-certificate/cacert.org.crt
Git uses the curl library. The http.sslcainfo configuration option specifies which certificate file to use:
git config --global http.sslcainfo /opt/local/share/curl/curl-ca-bundle.crt
Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time. However, it is unclear where that is.