català | česky | dansk | deutsch | english | español | français | lingála | magyar | nederlands | norsk | polski | português | svenska

Jak importovat kořenový certifikát CAcert do klientského softwaru

Viz také: Import kořenových certifikátů | E-mailové klientské programy

Chcete-li navštívit web, který používá SSL certifikát podepsaný CAcertem, můžete od SSL dostat výstrahu. Je nám líto, ale v současnosti je to stále ještě 'normální', protože hlavní (nejrozšířenější) prohlížeče ještě standardně neobsahují kořenový certifikát CAcertu. (Zkontrolujte stránku Stav vložení pro poslední zprávy o této věci.)

Tento článek říká, jak můžete manuálně vložit kořenový certifikát CAcert (CAcert Root Certificate) do svého webového prohlížeče a dalších klientských programů (jako Acrobat Reader), abyste už zmíněnou výstrahu nedostávali.

Očekávaný výsledek: Navštívíte https://www.cacert.org/ a další weby používající CAcertem vydané certifikáty a nedostanete už žádné výstrahy o neznámých certifikátech.

Mozilla Firefox

Firefox používá svůj vlastní Správce certifikátů (Certificate Manager). Takže i když Vaše aplikace Windows (a jiné od Microsoftu) již používají kořenový certifikát CAcert, Firefox ještě nemusí.

Import kořenového certifikátu CAcert

  1. Jděte na web s kořenovými certifikáty CAcert: http://www.cacert.org/index.php?id=3

  2. Klikněte na 'Kořenový certifikát (formát PEM)' *1)

  3. Uvidíte zprávu:

You have been asked to trust a new Certificate Authority (CA).
Do you want to trust "CA Cert Signing Authority" for the following purposes?
[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.
Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).
[VIEW] Examine CA certificate
(česky):
Dotaz, zda důvěřujete nové certifikační autoritě (CA)?
Chcete důvěřovat "CA Cert Signing Authority" (podepisující autoritě Ca Cert) pro tyto účely?
[ ] Důvěřuji této CA pro identifikaci webů.
[ ] Důvěřuji této CA pro identifikaci uživatelů e-mailu.
[ ] Důvěřuji této CA pro identifikaci vývojářů softwaru.
Před vyslovením důvěry této CA pro kterýkoli účel prozkoumejte její certifikát a jeho zásady a procedury (jsou-li dostupné).
[ZOBRAZIT] Zkontrolujte certifikát CA
  1. Měl(a) byste kliknout na VIEW (ZOBRAZIT) a zkontrolovat certifikát. Nejdůležitější je zkontrolovat "otisky prstů" (fingerprints) certifikátu *2). Měly by se shodovat (v případě kořenového certifikátu CAcert) s:

SHA1 otisk prstu: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5  otisk prstu: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
  1. Zavřete prohlížeč certifikátů a označte aspoň první možnost ('Důvěřuji této CA pro identifikaci webů.').
  2. Stiskněte OK, to je vše.

Instalace Seznamu odvolaných certifikátů (Certificate Revocation List, CRL)

  1. Klikněte tlačítko 'Revocation Lists' (odvolací seznam) v Preference -> Upřesnit -> Šifrování (Preferences-> Advanced-> Encryption) a tím otevřete okno Manage CRL (Práce s CRL).

  2. Zde klikněte tlačítko "Import", pak zadejte URL http://crl.cacert.org/revoke.crl.

  3. Klikněte OK a nastavte preference automatické aktualizace podle potřeby. Poznámka: Po stisknutí OK může chvíli trvat, než se CRL importuje.

Chcete-li kontrolovat, modifikovat nebo odstranit kořenový certifikát CAcertu, máte k němu kdykoli přístup takto:

  1. Otevřete dialog Edit -> Preferences -> Advanced nebo Tools -> Options -> Advanced (úpravy-preference-upřesnit nebo nástroje-možnosti-upřesnit)

  2. Certificates -> Manage Certificates (spravovat certifikáty)

  3. Autority
  4. Certifikát CAcertu se nazývá Root CA (sjeďte v seznamu k 'R'!)

  5. Zvolte zde View, Edit nebo Delete.

Mozilla Thunderbird

Thunderbird používá svůj vlastní Správce certifikátů (Certificate Manager). Takže i když Vaše aplikace Windows (a jiné od Microsoftu) již používají kořenový certifikát CAcert, Thunderbird ještě nemusí. Následující procedura Vám řekne, jak importovat kořenový certifikát CAcert do Vašeho e-mailového klienta Thunderbird.

  1. Jděte na web s kořenovými certifikáty CAcert: http://www.cacert.org/index.php?id=3

  2. Klikněte PRAVÝM tlačítkem myši na 'Kořenový certifikát (formát PEM)' a uložte ho do vhodného umístění.
  3. Spusťte Thunderbird
  4. Podle verze Thunderbirdu
    • - u starších verzí: Preferences-> Privacy-> Security-> View Certificates -> CA

    • - u verze V2.x: Tools->Options->Encryption->View Certificates->Authorities

  5. Zvolte "Importovat certifikát" nebo "Import..."
  6. Uvidíte zprávu:

You have been asked to trust a new Certificate Authority (CA).
Do you want to trust "CA Cert Signing Authority" for the following purposes?
[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.
Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).
[VIEW] Examine CA certificate
(česky):
Dotaz, zda důvěřujete nové certifikační autoritě (CA)?
Chcete důvěřovat "CA Cert Signing Authority" (podepisující autoritě Ca Cert) pro tyto účely?
[ ] Důvěřuji této CA pro identifikaci webů.
[ ] Důvěřuji této CA pro identifikaci uživatelů e-mailu.
[ ] Důvěřuji této CA pro identifikaci vývojářů softwaru.
Před vyslovením důvěry této CA pro kterýkoli účel prozkoumejte její certifikát a jeho zásady a procedury (jsou-li dostupné).
[ZOBRAZIT] Zkontrolujte certifikát CA
  1. Měl(a) byste kliknout na VIEW (ZOBRAZIT) a zkontrolovat certifikát. Nejdůležitější je zkontrolovat "otisky prstů" (fingerprints) certifikátu *2). Měly by se shodovat (v případě kořenového certifikátu CAcert) s:

SHA1 otisk prstu: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5  otisk prstu: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
  1. Zavřete prohlížeč certifikátů a označte aspoň první možnost ('Důvěřuji této CA pro identifikaci webů.').
  2. Stiskněte OK, to je vše.

Jakmile jste instalovali kořenový certifikát do Thunderbirdu (nebo jiné Vaší klientské aplikace), můžete smazat soubor 'root.crt', který jste si stáhl(a) v kroku 2.

To install the CRL, click the 'Revocation Lists' button in Preferences->Advanced->Certificates to open the Manage CRL window. Once there, click the "Import" button, then enter the URL http://crl.cacert.org/revoke.crl, click "OK", and set the automatic update preferences accordingly. Note: it may take a few moments to import the CRL after you click "OK".

Apple Safari

To add the CAcert Root Certificate to Apple Safari, we need to use the Keychain Access application which is shipped with Mac OS X.

To install the certificate system-wide, you need to follow these steps:

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Root Certificate (PEM Format)'. It will be downloaded to your desktop.
  3. Double click on the 'root.crt' file. The Keychain Access application will be launched
  4. To check the certificate, click on the 'View Certificates' button on the left side of the dialog
    • Lion 10.7: 'Certificates' at bottom, but not 'My Certificates.' Click on the root shown in main box.

  5. A dialog with information about the certificate will pop up.
    • Lion: skim to bottom to of dialog.

    • Make sure the following values match:

Fingerprints
SHA1: 13 5C EC 36 F4 9C B8 E9 3B 1A B2 70 CD 80 88 46 76 CE 8F 33
MD5: A6 1B 37 5E 39 0D 9C 36 54 EE BD 20 31 46 1F 6B
  1. Select 'System' from the 'Keychain' dropdownlist and press 'OK'.
    • Lion: To install for all users, drag the certificate(s) from your 'Certificates' box up and left and drop on 'System'.

  2. You will be asked to authenticate yourself. After that, the certificate will be installed system-wide.

The Keychain Access application makes certificates available to all applications including Chrome (but not Thunderbird nor Firefox which use Mozilla certificate storing).

Opera Webbrowser

This applies to 8.02 Linux, not sure about 6.x or 7.x

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Root Certificate (PEM Format)'
  3. Choose 'View'
  4. Check 'Allow connections to sites using this certificate'
  5. If desired, uncheck 'Warn me before using this certificate'

There seems to be an occasional problem getting the certification to pass on Opera 8.5 in Windows. Here is the workaround:

  1. Make sure cache is cleared.
  2. Attempt to get cert. via Opera ID'ing.
  3. Attempt to get while ID'ing as IE 6.0 (in Opera).
  4. Attempt to get while ID'ing as Opera again. This time, cert. should pass through.

It seems there is something about the caching where it wants both IE and Opera set at the same time before it will let the Opera cert. go through. Odd, but it works.

Microsoft Internet Explorer

You have two possibilities using Microsoft Internet Explorer. One is to automatically install it using ActiveX and one is to manually import it.

ActiveX

ActiveX installation (won't work with Windows Vista)

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Click on 'Click here if you want to import the root certificate into Microsoft Internet Explorer'
  3. Check that the certificate matches the following:

Fingerprints
SHA1: 135CEC36 F49CB8E9 3B1AB270 CD808846 76CE8F33
MD5: A61B375E 390D9C36 54EEBD20 31461F6B
  1. Click on yes.

Manual Installation (for a single user)

If you want to install the CAcert Root Certificate manually into Internet Explorer do the following:

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter)
  3. Open the Windows Key Store: View -> Tools -> Internet Options -> Content -> Personal -> Certificates

  4. Choose the
    1. For class1: Trusted Root Certification Authorities tab.

    2. For class3: Intermediate Certification Authorities tab.

  5. Import the Certificates you downloaded.

Note: This procedure only adds the CAcert Certificates to the current user! If you have multiple user accounts have a look at the next section.

Microsoft Windows

Single user

  1. Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3

  2. Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter)
  3. Log in as an Administrator
  4. In Windows Explorer, browse to the class 1 Root certificate you downloaded and right-click it, selecting Install Certificate (and click Open and Next if necessary)

  5. Verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities

  6. Click Next and then Finish. You should get a message saying the import was successful.

  7. In Windows Explorer, browse to the class 3 Intermediate certificate you downloaded and right-click it, selecting Install Certificate (and click Open and Next if necessary)

  8. Verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities

  9. Click Next and then Finish. You should get a message saying the import was successful.

Multiple users

If you have more than one account on your computer you don't want to install the CAcert Root Certificate for every single user. Therefore you can manually import the CAcert Root Certificates into the Local Machine Store. This procedure works only for Microsoft programs (e.g. Internet Explorer and Outlook), so you will also need to import the certificate into non-Microsoft browsers and e-mail programs.

  1. Click the windows Start button and choose Run

  2. Type MMC, then hit Enter

  3. From the new window open the File menu and choose Add/Remove Snap-in...

  4. click the Add Button

  5. choose the certificates item from the listbox and click the Add Button

  6. choose the Computer Account radio button and click the Next Button

  7. choose the Local Computer radio button and click the Finish Button

  8. click the Ok Button

  9. expand the tree to view Trusted Root Certification Authorities node

  10. right click on the Trusted Root Certification Authorities

  11. find the All Tasks menu item then choose Import off that menu and click Next

  12. type in, or browse to the class 1 Root certificate you previously downloaded and click Next

  13. verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities

  14. click Next and then Finish. You should get a message saying the import was successful.

  15. right click on the Intermediate Certification Authorities

  16. find the All Tasks menu item then choose Import off that menu and click Next

  17. type in, or browse to the class 3 Intermediate certificate you previously downloaded and click Next

  18. verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities

  19. click Next and then Finish. You should get a message saying the import was successful.

You may close the MMC window.

Microsoft Outlook

Just follow the Internet Explorer instructions, given above. When using Outlook 2007 you must import class 1 and 3 certificates (if your certificate is signed by the the class 3 certificate). An additional Problem with Outlook 2007 is that it doesn't care about alt names, so make sure your Common Name is set correctly.

Microsoft Outlook 2010 testing

note : some previous testings were done with Jason Curl, in April 2011, with no clear results. We could not figure out which software is broken (Outlook 2010 or Thunderbird version 3)

Import into Microsoft Active Directory Group Policy object

To use certificates generated with CACert.org with any MS office product, you will have to manually import the root certificate into your certificate store, you can do this on your machine from that same interface, BUT if you want to use the certificates across the enterprise you will have to follow this text, borrowed from the MS support website.

Add the third-party root CA to the trusted roots in an Active Directory Group Policy object (GPO). To configure Group Policy in the Windows 2000 domain to distribute the third-party CA to the trusted root store of all domain computers:

  1. Click Start -> Programs -> Administrative Tools -> Active Directory Users and Computers

  2. In the left pane, locate the domain in which the policy you want to edit is applied.
  3. Right-click the domain, and then click Properties.

  4. Click the Group Policy tab.

  5. Create a new Group Policy by clicking on New and give the new GPO a name

  6. Click on the new object, and then click Edit. A new window opens.

  7. In the left pane, expand the following items: 'Computer Configuration', 'Windows Settings', 'Security Settings', 'Public Key Policy'
  8. Right-click Trusted Root Certification Authorities.

  9. Select All Tasks, and then click Import.

  10. Follow the instructions in the wizard to import the certificate.
  11. Click OK.

  12. Close the Group Policy window.

Editing the Default Domain Policy as this wiki previously suggested is a bad idea.

Sha256 support under older Windows System

Acrobat 6.0

For Acrobat READER 6.0.X, do the following if the Windows Certificate Store includes CAcert root certificate

  1. Edit Menu->Preferences

  2. choose Digital Signatures

  3. Then click the Advanced Preferences button

  4. Then check the following 3 checkboxes:
    • Enable importing of identities from the Windows Certificate Store into the Adobe Trusted Identities List
    • Validating Signatures
    • Validating Certified Documents

Note: This MAY also work for Acrobat 6 Acedemic, Standard, and Professional versions, but it has not been verified.

Acrobat 7.0 to 10.0

How to add the root CAcert cert to Adobe certificate store as they don't use the Windows cert store.

Question: I am getting the error Certifier's Identity is Unknown ?

To make this simple the reason is because the CACert.org root cert isn't in Adobe, as of Acrobat 7 only 2 CAs have their root cert in Acrobat, GeoTrust and Adobe, this is something you will have to guide your clients through if you want to use another CAs certificates to sign your PDF documents. Acrobat Reader does indeed have the ability to verify its documents against the Windows cert store, at least Acrobat Reader 7 does. To do this:

  1. Open Acrobat (Reader, Academic, Standard or Professional)
  2. Choose the Edit menu

  3. Choose Preferences

  4. Choose the Security category

  5. Choose the Advanced Preferences button

  6. Choose the Windows Integration tab

  7. Then check the following 3 checkboxes
    • Enable importing of identites from the Windows Certificate Store into the Adobe Trusted Identities List
    • validating signatures
    • validating certified documents

Remember: this only installs the CAcert Root Certificate into your copy of Acrobat, not any other software (like a web browser or email client).

Google Chrome

Linux

In Linux, Google Chrome uses Mozilla's NSS for the certificates, then you need the certutil tool to manage it.

In Debian/Ubuntu certutil comes from libnss3-tools

$ sudo apt-get install libnss3-tools

and to import the our root certs you simply need to run:

$ wget -O cacert-root.crt "http://www.cacert.org/certs/root.crt"
$ wget -O cacert-class3.crt "http://www.cacert.org/certs/class3.crt"

$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt 
$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

and now it just works, without needing to restart the browser.

Addtl. external links with further details:

Mac OS X

Chrome uses the system keychain for key management, see the section about Apple Safari for instructions on how to set it up.

External Documentation

Leftovers from the original page

Note :

As you may use your personal certs (email certs) for signing documents, lets start with a brief background: "How are you generating your keys?"

When you request a cert from a CA like CACert.org, your computer generates the private key, and a request that you then use to retrieve the signed public key portion from the CA.

If you are using IE to generate this, it automatically stores both portions of your key in the Windows key store. If you are using Firefox, you are going to have a little more trouble, as you will have to export the key from the Firefox key store and import it into the Windows key store before you can use it with Word or any other Office product.

Manually importing/exporting CAcert personal mail certificates into IE

Follow the same instructions as written above.

At that point you may import your entire certificate or back them up, one of the options for backup included a checkbox to include the private key. For simplicities sake, lets assume that you used IE to generate the certificate, thus the certificate is in the store, if not, go back at and do it that way, it will save you headaches.

FAQ

Foot notes