oreilly.comSafari Books Online.Conferences.


Linux Server Hacks

Distributing Your CA to Client Browsers

by Rob Flickenger, author of Linux Server Hacks

Installing your shiny new Certificate Authority certificate to client browsers is just a click away

In order for your client browsers to trust your new Certificate Authority, they must be configured to accept your CA's public key. There are two possible formats that browsers will accept for new certificate authority certs: pem and der. You can generate a der from your existing pem with a single OpenSSL command:

openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der

Also, add the following line to your conf/mime.types file in your Apache installation:

application/x-x509-ca-cert      der pem crt

Now restart Apache for the change to take effect. You should now be able to place both the cacert.der and demoCA/cacert.pem files anywhere on your web server, and have clients install the new cert by simply clicking on either link.

Early versions of Netscape expected pem format, but recent versions will accept either. Internet Explorer is just the opposite (early IE would accept only der format, but recent versions will take both). Other browsers will generally accept either format.

A dialog box will open in your browser when you download the new Certificate Authority, asking if you'd like to continue. Accept the certificate, and that's all there is to it. Now SSL certs that are signed by your CA will be accepted without warning the user.

Accepted CA

Keep in mind that Certificate Authorities aren't to be taken lightly. If you accept a new CA in your browser, you had better trust it completely--a mischevious CA manager could sign all sorts of certs that you should never trust, but your browser would never complain (since you claimed to trust the CA when you imported it). Be very careful about who you extend your trust to when using SSL-enabled browsers. It's worth looking around in the CA cache that ships with your browser to see exactly who you trust by default.

For example, did you know that AOL/Time Warner has its own CA? How about GTE? Or Visa? CA certificates for all of these entities (and many others) ship with Netscape 7.0 for Linux, and are all trusted authorities for web sites, email, and application add-ons, by default. Keep this in mind when browsing SSL-enabled sites: if any one of the default authorities have signed online content, then your browser will trust it without requiring operator acknowledgment.


If you value your browser's security (and, by extension, the security of your client machine), then make it a point to review your trusted CA relationships.


For more on OpenSSL, creating Certificate Authorities, and my book on Linux Hacks, check out these resources:

Rob Flickenger is a long time supporter of FreeNetworks and DIY networking. Rob is the author of three O'Reilly books: Building Wireless Community Networks, Linux Server Hacks, and Wireless Hacks.

Linux Server Hacks

Related Reading

Linux Server Hacks
100 Industrial-Strength Tips and Tools
By Rob Flickenger

O'Reilly & Associates recently released (January 2003)Linux Server Hacks.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: