Distributing Your CA to Client Browsersby Rob Flickenger, author of Linux Server Hacks
Installing your shiny new Certificate Authority certificate to client browsers is just a click away
In order for your client browsers to trust your new
Certificate Authority, they must be configured to accept your CA's
public key. There are two possible formats that browsers will accept for
new certificate authority certs:
der. You can
der from your existing
pem with a single OpenSSL command:
openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der
Also, add the following line to your conf/mime.types file in your Apache installation:
application/x-x509-ca-cert der pem crt
Now restart Apache for the change to take effect. You should now be able to place both the cacert.der and demoCA/cacert.pem files anywhere on your web server, and have clients install the new cert by simply clicking on either link.
Early versions of Netscape expected
pem format, but recent versions will accept either. Internet Explorer is just the opposite (early IE would accept only
der format, but recent versions will take both). Other browsers will generally accept either format.
A dialog box will open in your browser when you download the new Certificate Authority, asking if you'd like to continue. Accept the certificate, and that's all there is to it. Now SSL certs that are signed by your CA will be accepted without warning the user.
Keep in mind that Certificate Authorities aren't to be taken lightly. If you accept a new CA in your browser, you had better trust it completely--a mischevious CA manager could sign all sorts of certs that you should never trust, but your browser would never complain (since you claimed to trust the CA when you imported it). Be very careful about who you extend your trust to when using SSL-enabled browsers. It's worth looking around in the CA cache that ships with your browser to see exactly who you trust by default.
For example, did you know that AOL/Time Warner has its own CA? How about GTE? Or Visa? CA certificates for all of these entities (and many others) ship with Netscape 7.0 for Linux, and are all trusted authorities for web sites, email, and application add-ons, by default. Keep this in mind when browsing SSL-enabled sites: if any one of the default authorities have signed online content, then your browser will trust it without requiring operator acknowledgment.
If you value your browser's security (and, by extension, the security of your client machine), then make it a point to review your trusted CA relationships.
ResourcesFor more on OpenSSL, creating Certificate Authorities, and my book on Linux Hacks, check out these resources:
O'Reilly & Associates recently released (January 2003)Linux Server Hacks.
For more information, or to order the book, click here.
Return to the Linux DevCenter.