Install CA Certificates

If you visit a HTTPS website, you will get a warning unless the web certificate is signed by a trusted authority.

Well known Certificate Authorities
There are many certificate authorities, and you must decide for yourself if you want to trust them or not.

By default, the Firefox webbrowser contains most well known certificate authorities.

The following is a list of some CA's that I

Commercial CA

 * Symantec (including: Verisign, Thawte)
 * Comodo
 * GlobalSign
 * Entrust
 * Startcom

GoDaddy is another big one, but I would not do business with them: they have too many controversies on their hand, even though they were on the 'good side' with their opposition to Verisign's idiotic Site Finder

Educational and Academic CA

 * DutchGrid
 * SURFnet PCA

Official CA

 * Staat der Nederlanden (Dutch Government) CA

Open Source CA

 * letsencrypt.org
 * CAcert

Let's encrypt is currently (june 2015) not active.

CAcert if the only free-of-charge certificate authority, but has not yet passed an audit, and is therefor not yet included in most browsers or operating systems.

A good alternative is StartSSL by Startcom, which only charges for validations, not for the actual certificates. In particular, they do not charge for automatic certification of domains and class 1 certificates for those domains.

Self-Signed Certificates
Since most CA charge a certain amount of money, it is common practice to create self-signed certificates, thus creating a certificate authority on the fly.

Download Certificates
There is no common procedure to reliably download certificates.
 * You can trust the certificates that came with your operating system;
 * You can visit the website of a certificate authority and download it's root certificate;
 * You can visit a representative of an certificate authority in person;
 * You can visit a HTTP website, and use openssl to download the embedded certificate.

Note that all these cases are vulnerable to man-in-the-middle attacks. What if you Google for "Verisign" and download the first certificate you find. How do you know that you really downloaded Verisign's certificate instead of one from a website of an adversary?

Download Embedded Certificates
In order to download a certificate using openssl, do as follows:

echo "" | openssl s_client -showcerts -connect kwek.macfreek.nl:443

Select the block you want to store, e.g.:

-BEGIN CERTIFICATE- MIIEHTCCAgWgAwIBAgIDB/0+MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ gzhZylSzD2utlCjrlE4p8AGYfQyZ35sn4tLdUcvAaKYI1TFbkGYgaKcxdElMFxYg 6M4oWIsZ290s6rXdwzkfXKjOrfO1LvbhDxYE/3Q6M+A+JFxa8yLnnaChK4/EMCPW dA== -END CERTIFICATE-

You can then read this file:

openssl x509 -noout -text -in storedcertificate.pem

Be sure to store the correct certificate. If you directly pipe your result, you get the client certificate:

% echo "" | openssl s_client -connect www.google.com:443 | openssl x509 -noout -subject -issuer subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer= /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

Typically, you will want to store the last certificate where the subject and issuer are equal (the root certificate). The openssl -showcerts option displays all certificates in the chain. Be aware that most servers do not return the root certificate in the certificate chain, so you often need to find another method to download the root certificate.

Install Certificates
If you downloaded a certificate, here is where to install it:

Mac OS X, including Safari
Mac OS X installs certificates in the KeyChain at /System/Library/Keychains/X509Anchors. You should not add certificates here, as this KeyChain can be overwritten during software updates.

Instead, install it in the KeyChain at /Library/Keychains/System.

Firefox
Install certificates in the Certificate Manager, which can be access through Preferences > Advanced > Encryption > View Certificates.

Curl
If you visit a webpage with a certificate signed by an untrusted CA, you get this error:

error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://www.example.com/path

Curl uses certificates stored in the file curl-ca-bundle.crt. The location differs per distribution. MacPorts stores the files in /opt/local/share/curl/.

You can simply append an exisiting certificate to this file.

For example, to add the CAcert certificate to the MacPorts-installed curl: wget http://www.cacert.org/certs/root.crt wget http://www.cacert.org/certs/class3.crt cat root.crt class3.crt >> /opt/local/share/curl/curl-ca-bundle.crt

Note that the curl-ca-bundle.crt gets overwriten if you update the curl-ca-bundle package. For Debian, any certificate file in the /usr/local/share/ca-certificate directory will be automatically trusted: wget http://www.cacert.org/certs/root.crt mv root.crt /usr/local/share/ca-certificate/cacert.org.crt

Git
Git uses the curl library. The http.sslcainfo configuration option specifies which certificate file to use:

git config --global http.sslcainfo /opt/local/share/curl/curl-ca-bundle.crt

Wget
Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time. However, it is unclear where that is.