• FAQ
• BrowserClients

---

• català | česky | dansk | deutsch | english | español | français | lingála | magyar | nederlands | norsk | polski | português | svenska

---

HowTo: Import the CAcert Root Certificate into Client Software

See also ImportRootCert | FAQ/eMailClients

If you want to access a website that uses a SSL certificate signed by CAcert, you might get an SSL warning. We are sorry, but currently that's still 'normal' as mainstream browsers don't automatically include the CAcert Root Certificate yet. (Check the InclusionStatus page for latest news on this topic.)

This HowTo tells you how you can manually import the CAcert Root Certificate in you web browser and other client software (like the Acrobat Reader) so that you don't get these warnings anymore.

Expected Result: You access https://www.cacert.org/ and other sites using CAcert-issued certificates and don't get any warnings about unknown certificates anymore.

Mozilla Firefox

Firefox uses its own Certificate Manager. So even if your Windows (and other Microsoft) applications already use a root certificate Firefox still might not.

Firefox can read root certificates from Windows system repository

Firefox uses its own certificate repository. However, you can set Firefox to read CA's root certificates from Windows system certificate repository in Firefox's new versions (since about 2017).

You can find that setting on the page about:config as security.enterprise_roots.enabled and set it to true.

Importing the CAcert Root Certificate

1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

2. Click on 'Root Certificate (PEM Format)' x1)

3. You'll get:

You have been asked to trust a new Certificate Authority (CA).
Do you want to trust "CA Cert Signing Authority" for the following purposes?
[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.
Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).
[VIEW] Examine CA certificate

4. You should click on VIEW to check the certificate root_X0F.crt or root_X0F.der. Most important is that you check the fingerprints of the certificate x2). They should match the following:

SHA1 Fingerprint: dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5
SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5

5. Close the Certificate Viewer and tick at least the first box ('Trust this CA to identify web sites.').
6. Press OK and that's all for the root_X0F.crt or root_X0F.der.
7. Repeat above steps for CAcert's Class3 cert (class3_x14E228.crt or class3_x14E228.der).

SHA1 Fingerprint: A7:C4:8F:BE:6B:02:6D:BD:0E:C1:B4:65:B8:8D:D8:13:EE:1D:EF:A0
SHA256 fingerprint: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544

Don't give the explicite trust to the Class 3 certificate ! The reason is, that the trust (for every of the 3 purposes) explicitly concerns this particular certificate. It is OK for the root Class 1 certificate, however this intermediate Class 3 certificate inherits its trustfulness from the root Class 1 certificate (which have signed the Class 3 intermediate root). If you give the explicite trust to the Class 3 root, then you make impossible to correctly create the certificate chain (from the Class 1 root, through the Class 3 intermediate root, to your client/server certificate. See also the Certificate Chain Construction.

Installing the CRL

1. Click the 'Revocation Lists' button in Preferences->Advanced->Encryption to open the Manage CRL window.

2. Once there, click the "Import" button, then enter the URL http://crl.cacert.org/revoke.crl.

3. Click "OK", and set the automatic update preferences accordingly. Note: it may take a few moments to import the CRL after you click "OK".

If you want to check, modify, or delete the CAcert Root Certificate you can access it at any time via:

1. Open Edit -> Preferences -> Advanced or Open Tools -> Options -> Advanced

2. Certificates -> Manage Certificates

3. Authorities

4. The CAcert certificate is called Root CA (Scroll down to 'R'!)

5. Here you can View, Edit and Delete it.

Mozilla Thunderbird

Thunderbird uses its own Certificate Manager. So even if your Windows (and other Microsoft) applications already use a root certificate Thunderbird still might not. The following procedure tells you how to import the CAcert Root Certificate into your Thunderbird mail client.

1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

2. Click on 'Root Certificate (PEM Format)' with the RIGHT mouse-button, then save it to a convenient location.
3. Open Thunderbird
4. Depending on the version of Thunderbird

   • - For older versions of Thunderbird open: Preferences->Privacy->Security->View Certificates->CA

   • - For Thunderbird V2.+ open: Tools->Options->Encryption->View Certificates->Authorities

5. Select "Import Certificate" or "Import..."
6. You'll get:

You have been asked to trust a new Certificate Authority (CA).
Do you want to trust "CA Cert Signing Authority" for the following purposes?
[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.
Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).
[VIEW] Examine CA certificate

7. You should click on VIEW to check the certificate. Most important is that you check the fingerprints of the certificate x2). They should match the following:

SHA1 Fingerprint: dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5
SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5

8. Close the Certificate Viewer and tick at least the second box ('Trust this CA to identify email users.').
9. Press OK and that's it!
10. As above for Firefox, repeat these steps also for CAcert's Class3 cert (class3_x14E228.crt or class3_x14E228.der).

SHA1 Fingerprint: A7:C4:8F:BE:6B:02:6D:BD:0E:C1:B4:65:B8:8D:D8:13:EE:1D:EF:A0
SHA256 fingerprint: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544

Once you've installed the root into Thunderbird (and any other client applications you wish), you may delete the 'root_X0F.crt' file you downloaded in Step 2.

To install the CRL, click the 'Revocation Lists' button in Preferences->Advanced->Certificates to open the Manage CRL window. Once there, click the "Import" button, then enter the URL http://crl.cacert.org/revoke.crl, click "OK", and set the automatic update preferences accordingly. Note: it may take a few moments to import the CRL after you click "OK".

Apple Safari

To add the CAcert Root Certificate to Apple Safari, we need to use the Keychain Access application which is shipped with Mac OS X.

To install the certificate system-wide, you need to follow these steps:

1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

2. Click on 'Root Certificate (PEM Format)'. It will be downloaded to your desktop.
3. Double click on the 'root_X0F.crt' file. The Keychain Access application will be launched
4. To check the certificate, click on the 'View Certificates' button on the left side of the dialog

   • Lion 10.7: 'Certificates' at bottom, but not 'My Certificates.' Click on the root shown in main box.

5. A dialog with information about the certificate will pop up.

   • Lion: skim to bottom to of dialog.

   • Make sure the following values match:

Fingerprints
SHA1: dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5
SHA256: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5

5. Select 'System' from the 'Keychain' dropdownlist and press 'OK'.

   • Lion: To install for all users, drag the certificate(s) from your 'Certificates' box up and left and drop on 'System'.

6. You will be asked to authenticate yourself. After that, the certificate will be installed system-wide.

The Keychain Access application makes certificates available to all applications including Chrome (but not Thunderbird nor Firefox which use Mozilla certificate storing).

Opera Webbrowser

This applies to 8.02 Linux, not sure about 6.x or 7.x

1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

2. Click on 'Root Certificate (PEM Format)'
3. Choose 'View'
4. Check 'Allow connections to sites using this certificate'
5. If desired, uncheck 'Warn me before using this certificate'

There seems to be an occasional problem getting the certification to pass on Opera 8.5 in Windows. Here is the workaround:

1. Make sure cache is cleared.
2. Attempt to get cert. via Opera ID'ing.
3. Attempt to get while ID'ing as IE 6.0 (in Opera).
4. Attempt to get while ID'ing as Opera again. This time, cert. should pass through.

It seems there is something about the caching where it wants both IE and Opera set at the same time before it will let the Opera cert. go through. Odd, but it works.

Microsoft Internet Explorer

You have two possibilities using Microsoft Internet Explorer. One is to automatically install it using ActiveX and one is to manually import it.

ActiveX

OBSOLETE ActiveX installation (won't work with Windows Vista)

1. Go to the CAcert Wiki FAQ/NewRoots, scroll down and find the line "SHA256 Installable package for Windows"

2. Download the .msi file.
3. Proceed according to the procedure referred by the link at the end of line.

Manual Installation (for a single user)

If you want to install the CAcert Root Certificate manually into Internet Explorer do the following:

1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

2. Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter)

3. Open the Windows Key Store (from the IE browser): View -> Tools -> Internet Options -> Content -> Personal -> Certificates

4. Choose the

   1. For class1: Trusted Root Certification Authorities tab.

   2. For class3: Intermediate Certification Authorities tab.

5. Import the Certificates you downloaded (root_X0F.crt/.der and class3_x14E228.crt/.der, respectively).

Note: This procedure only adds the CAcert Certificates to the current user! If you have multiple user accounts have a look at the next section.

Microsoft Windows

Single user

1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

2. Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter)
3. Log in as an Administrator

4. In Windows Explorer, browse to the class 1 Root certificate you downloaded and right-click it, selecting Install Certificate (and click Open and Next if necessary)

5. Verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities

6. Click Next and then Finish. You should get a message saying the import was successful.

7. In Windows Explorer, browse to the class 3 Intermediate certificate you downloaded and right-click it, selecting Install Certificate (and click Open and Next if necessary)

8. Verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities

9. Click Next and then Finish. You should get a message saying the import was successful.

Multiple users

If you have more than one account on your computer you don't want to install the CAcert Root Certificate for every single user. Therefore you can manually import the CAcert Root Certificates into the Local Machine Store. This procedure works only for Microsoft programs (e.g. Internet Explorer and Outlook), so you will also need to import the certificate into non-Microsoft browsers and e-mail programs (esp. Firefox, Thunderbird, Palemoon).

1. Click the windows Start button and choose Run

2. Type MMC, then hit Enter

3. From the new window open the File menu and choose Add/Remove Snap-in...

4. click the Add Button

5. choose the certificates item from the listbox and click the Add Button

6. choose the Computer Account radio button and click the Next Button

7. choose the Local Computer radio button and click the Finish Button

8. click the Ok Button

9. expand the tree to view Trusted Root Certification Authorities node

10. right click on the Trusted Root Certification Authorities

11. find the All Tasks menu item then choose Import off that menu and click Next

12. type in, or browse to the class 1 Root certificate you previously downloaded and click Next

13. verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities

14. click Next and then Finish. You should get a message saying the import was successful.

15. right click on the Intermediate Certification Authorities

16. find the All Tasks menu item then choose Import off that menu and click Next

17. type in, or browse to the class 3 Intermediate certificate you previously downloaded and click Next

18. verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities

19. click Next and then Finish. You should get a message saying the import was successful.

You may close the MMC window.

Microsoft Outlook

Just follow the Internet Explorer instructions, given above. When using Outlook 2007 you must import class 1 and 3 certificates (if your certificate is signed by the the class 3 certificate). An additional Problem with Outlook 2007 is that it doesn't care about alt names, so make sure your Common Name is set correctly.

Microsoft Outlook 2010 testing

• Outlook 2010 to Outlook 2010 email signing and ciphering should be working fine.
• Email signing works between Win7/Outlook 2010 and Ubuntu 11.04/Thunderbird 6
• Ciphering and signing work from Ubuntu 11.04/Thunderbird 6 to Win7/Outlook 2010

• So far, there is no way (based on my tests) to cipher/sign from Win7/Outlook 2010 to Ubuntu 11.04/Thunderbird 6 : Thunderbird complains it cannot decipher the data. Note : there are plenty of new Options in Outlook 2010 to select Hash algo and Cipher algo.

note : some previous testings were done with Jason Curl, in April 2011, with no clear results. We could not figure out which software is broken (Outlook 2010 or Thunderbird version 3)

Import into Microsoft Active Directory Group Policy object

To use certificates generated with CACert.org with any MS office product, you will have to manually import the root certificate into your certificate store, you can do this on your machine from that same interface, BUT if you want to use the certificates across the enterprise you will have to follow this text, borrowed from the MS support website.

Add the third-party root CA to the trusted roots in an Active Directory Group Policy object (GPO). To configure Group Policy in the Windows 2000 domain to distribute the third-party CA to the trusted root store of all domain computers:

1. Click Start -> Programs -> Administrative Tools -> Active Directory Users and Computers

2. In the left pane, locate the domain in which the policy you want to edit is applied.

3. Right-click the domain, and then click Properties.

4. Click the Group Policy tab.

5. Create a new Group Policy by clicking on New and give the new GPO a name

6. Click on the new object, and then click Edit. A new window opens.

7. In the left pane, expand the following items: 'Computer Configuration', 'Windows Settings', 'Security Settings', 'Public Key Policy'

8. Right-click Trusted Root Certification Authorities.

9. Select All Tasks, and then click Import.

10. Follow the instructions in the wizard to import the certificate.

11. Click OK.

12. Close the Group Policy window.

Editing the Default Domain Policy as this wiki previously suggested is a bad idea.

Sha256 support under older Windows System

• If you experiences problems using the new Class3 Subroot and creating class3 client certificates, probably your older Windows system (Windows XP, Windows 2003) does not have the patch Microsoft Base Smart Card Crypto Provider (KB909520) installed.

• KB909520 installs support for sha256 and other crypto providers like AES128, AES192, AES256 and more

• Further infos about crypto providers under Windows read MSDN library article CryptoAPI Cryptographic Service Providers

Acrobat 6.0

For Acrobat READER 6.0.X, do the following if the Windows Certificate Store includes CAcert root certificate

1. Edit Menu->Preferences

2. choose Digital Signatures

3. Then click the Advanced Preferences button

4. Then check the following 3 checkboxes:
   • Enable importing of identities from the Windows Certificate Store into the Adobe Trusted Identities List
   • Validating Signatures
   • Validating Certified Documents

Note: This MAY also work for Acrobat 6 Acedemic, Standard, and Professional versions, but it has not been verified.

Acrobat 7.0 to 10.0

How to add the root CAcert cert to Adobe certificate store as they don't use the Windows cert store.

Question: I am getting the error Certifier's Identity is Unknown ?

To make this simple the reason is because the CACert.org root cert isn't in Adobe, as of Acrobat 7 only 2 CAs have their root cert in Acrobat, GeoTrust and Adobe, this is something you will have to guide your clients through if you want to use another CAs certificates to sign your PDF documents. Acrobat Reader does indeed have the ability to verify its documents against the Windows cert store, at least Acrobat Reader 7 does. To do this:

1. Open Acrobat (Reader, Academic, Standard or Professional)

2. Choose the Edit menu

3. Choose Preferences

4. Choose the Security category

5. Choose the Advanced Preferences button

6. Choose the Windows Integration tab

7. Then check the following 3 checkboxes
   • Enable importing of identites from the Windows Certificate Store into the Adobe Trusted Identities List
   • validating signatures
   • validating certified documents

Remember: this only installs the CAcert Root Certificate into your copy of Acrobat, not any other software (like a web browser or email client).

Google Chrome

Linux

In Linux, Google Chrome uses Mozilla's NSS for the certificates, then you need the certutil tool to manage it.

In Debian/Ubuntu certutil comes from libnss3-tools

$ sudo apt-get install libnss3-tools

and to import the our root certs you simply need to run:

$ wget -O cacert-root.crt "http://www.cacert.org/certs/root_X0F.crt"
$ wget -O cacert-class3.crt "http://www.cacert.org/certs/class3_x14E228.crt"

$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt 
$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

and now it just works, without needing to restart the browser.

Addtl. external links with further details:

• http://cad.cx/blog/2009/08/11/howto-add-cacert-root-certificates-to-chromium/

• http://code.google.com/p/chromium/wiki/LinuxCertManagement

Mac OS X

Chrome uses the system keychain for key management, see the section about Apple Safari for instructions on how to set it up.

External Documentation

• Rutgers University FAQ for adding a CA cert to various web browsers

• {pt} Root Certificate Installation for Internet Explorer (Carlos Pereira)

• https://help.riseup.net/security/certificates/import/ Tutorials from riseup.net for installing the CACert Root Certificate in Firefox, Mozilla, Safari, IE Mac, IE Windows, Thunderbird, Mozilla Mail, Apple Mail, Outlook Windows, Outlook Mac.

• Importing and Exporting Digital Certificates with popular Web Browsers by PGP Trustcenter Documentation (IE, FF, Chrome, Safari, Opera with many screenshots)

Leftovers from the original page

Note :

As you may use your personal certs (email certs) for signing documents, lets start with a brief background: "How are you generating your keys?"

When you request a cert from a CA like CACert.org, your computer generates the private key, and a request that you then use to retrieve the signed public key portion from the CA.

If you are using IE to generate this, it automatically stores both portions of your key in the Windows key store. If you are using Firefox, you are going to have a little more trouble, as you will have to export the key from the Firefox key store and import it into the Windows key store before you can use it with Word or any other Office product.

Manually importing/exporting CAcert personal mail certificates into IE

Follow the same instructions as written above.

At that point you may import your entire certificate or back them up, one of the options for backup included a checkbox to include the private key. For simplicities sake, lets assume that you used IE to generate the certificate, thus the certificate is in the store, if not, go back at and do it that way, it will save you headaches.

FAQ

• Q My new browser client FF12 returns an error "ssl_error_renegotiation_not_allowed" visiting the page https://community.cacert.org/board/motions.php?motion=

  • A There is a workaround configuring FF12 settings to allow ssl renegotiation

  • enter about:config into the url line

  • Variant A:

  • search for "security.ssl.allow_unrestricted_renego_everywhere_ _temporarily_available_pref" and set it to True

  • (source: http://my.opera.com/duyda/blog/2011/03/30/ssl-error-renegotiation-not-allowed)

  • Variant B:

  • search for "security.ssl.renego_unrestricted_hosts", add "community.cacert.org,blog.cacert.org" to the string field

Foot notes

• x¹) If Firefox tells you 'This certificate is already installed as a certificate authority.' someone (such as a network administrator) already imported the root certificate for you.

• x²) You also find the fingerprints GPG signed on the CAcert Root Certificate page.

---

• CategoryCommunity

• CategoryConfiguration

• CategoryGuide

• CategorySoftware

• CategorySupport