The root certificates of well-known trusted CAs are often installed with the client browser, so you might not need to install
any. The security policy in your organization might restrict your access to the Web and might have removed the trusted CA
root certificates. In this case you need to install root certificates for the CAs that signed the server certificates of the
servers you need to communicate with securely.
Note: The root certificate for the demonstration CA is not pre-installed, and so you need to install this certificate to enable
you to use the demonstration CA.
CA root certificates can be specified as any of the following:
- A single file containing a single certificate.
- A single file containing multiple certificates. This file defines your trusted CAs (plus their chains if appropriate).
- A directory containing PEM files that each contain a single certificate. These files are named with the hash value of the
certificate content, using the hash.0 format. For example, you can display this hash value, using the command:
openssl X509 -hash -in CARootcert.pem
This produces the following output:
1a584193
----BEGIN CERTIFICATE
....
Where:
- The number that is displayed before the certificate is the hash value of the certificate.
- The filename of the certificate would be
1a584193.0
To install a CA root certificate:
- In your browser, go to the options where you manage certificates. For example:
- In Internet Explorer, click
Tools >
Internet Options >
Content >
Certificates. Go to the
Trusted Root Certification Authorities tab.
- In Mozilla Firefox, click
Tools >
Options >
Advanced. Scroll down, click
Manage Certificates and then click
Authorities.
- Click
Import and select the CA's root certificate.
For the demonstration, select the self-signed certificate
CARootCert.cer, which is in the
private subdirectory of
/opt/microfocus/DemoCA/openssl or
$COBSSL (if set) by default.
Internet Explorer requires certificates in DER format, so only those are listed in the
File Open field, and not the PEM format files. Mozilla Firefox can handle several types, so several are listed and you can install
the PEM-format certificate.
- In Internet Explorer, use the
Browse button to enter
Trusted Root Certification Authorities in the Certificate Store field.
In Mozilla Firefox, check
Trust this CA to identify Web sites.
- Look down the list under
Trusted Root Certification Authorities (for Internet Explorer) and
Authorities (for Firefox). You'll see your Demo CA is now listed; look for its Common Name. If when you installed Micro Focus Security
Pack you chose to use your computer DNS name as the DemoCA's Common Name, it will probably look an odd-one-out, because real
CAs tend to give themselves user-friendly Common Names.