català | česky | dansk | deutsch | english | español | français | lingála | magyar | nederlands | norsk | polski | português | svenska
Jak importovat kořenový certifikát CAcert do klientského softwaru
Viz také: Import kořenových certifikátů | E-mailové klientské programy
Chcete-li navštívit web, který používá SSL certifikát podepsaný CAcertem, můžete od SSL dostat výstrahu. Je nám líto, ale v současnosti je to stále ještě 'normální', protože hlavní (nejrozšířenější) prohlížeče ještě standardně neobsahují kořenový certifikát CAcertu. (Zkontrolujte stránku Stav vložení pro poslední zprávy o této věci.)
Tento článek říká, jak můžete manuálně vložit kořenový certifikát CAcert (CAcert Root Certificate) do svého webového prohlížeče a dalších klientských programů (jako Acrobat Reader), abyste už zmíněnou výstrahu nedostávali.
Očekávaný výsledek: Navštívíte https://www.cacert.org/ a další weby používající CAcertem vydané certifikáty a nedostanete už žádné výstrahy o neznámých certifikátech.
Contents
-
Jak importovat kořenový certifikát CAcert do klientského softwaru
- Mozilla Firefox
- Mozilla Thunderbird
- Apple Safari
- Opera Webbrowser
- Microsoft Internet Explorer
- Microsoft Windows
- Microsoft Outlook
- Microsoft Outlook 2010 testing
- Import into Microsoft Active Directory Group Policy object
- Sha256 support under older Windows System
- Acrobat 6.0
- Acrobat 7.0 to 10.0
- Google Chrome
- External Documentation
- Leftovers from the original page
- FAQ
Mozilla Firefox
Je zde také Firefox add-on (přídavný modul): Importér kořenových certifikátů CACert.
Firefox používá svůj vlastní Správce certifikátů (Certificate Manager). Takže i když Vaše aplikace Windows (a jiné od Microsoftu) již používají kořenový certifikát CAcert, Firefox ještě nemusí.
Import kořenového certifikátu CAcert
Jděte na web s kořenovými certifikáty CAcert: http://www.cacert.org/index.php?id=3
Klikněte na 'Kořenový certifikát (formát PEM)' *1)
- Uvidíte zprávu:
You have been asked to trust a new Certificate Authority (CA). Do you want to trust "CA Cert Signing Authority" for the following purposes? [ ] Trust this CA to identify web sites. [ ] Trust this CA to identify email users. [ ] Trust this CA to identify software developers. Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available). [VIEW] Examine CA certificate (česky): Dotaz, zda důvěřujete nové certifikační autoritě (CA)? Chcete důvěřovat "CA Cert Signing Authority" (podepisující autoritě Ca Cert) pro tyto účely? [ ] Důvěřuji této CA pro identifikaci webů. [ ] Důvěřuji této CA pro identifikaci uživatelů e-mailu. [ ] Důvěřuji této CA pro identifikaci vývojářů softwaru. Před vyslovením důvěry této CA pro kterýkoli účel prozkoumejte její certifikát a jeho zásady a procedury (jsou-li dostupné). [ZOBRAZIT] Zkontrolujte certifikát CA
Měl(a) byste kliknout na VIEW (ZOBRAZIT) a zkontrolovat certifikát. Nejdůležitější je zkontrolovat "otisky prstů" (fingerprints) certifikátu *2). Měly by se shodovat (v případě kořenového certifikátu CAcert) s:
SHA1 otisk prstu: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33 MD5 otisk prstu: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
- Zavřete prohlížeč certifikátů a označte aspoň první možnost ('Důvěřuji této CA pro identifikaci webů.').
- Stiskněte OK, to je vše.
Instalace Seznamu odvolaných certifikátů (Certificate Revocation List, CRL)
Klikněte tlačítko 'Revocation Lists' (odvolací seznam) v Preference -> Upřesnit -> Šifrování (Preferences-> Advanced-> Encryption) a tím otevřete okno Manage CRL (Práce s CRL).
Zde klikněte tlačítko "Import", pak zadejte URL http://crl.cacert.org/revoke.crl.
- Klikněte OK a nastavte preference automatické aktualizace podle potřeby. Poznámka: Po stisknutí OK může chvíli trvat, než se CRL importuje.
Chcete-li kontrolovat, modifikovat nebo odstranit kořenový certifikát CAcertu, máte k němu kdykoli přístup takto:
Otevřete dialog Edit -> Preferences -> Advanced nebo Tools -> Options -> Advanced (úpravy-preference-upřesnit nebo nástroje-možnosti-upřesnit)
Certificates -> Manage Certificates (spravovat certifikáty)
- Autority
Certifikát CAcertu se nazývá Root CA (sjeďte v seznamu k 'R'!)
- Zvolte zde View, Edit nebo Delete.
Mozilla Thunderbird
Thunderbird používá svůj vlastní Správce certifikátů (Certificate Manager). Takže i když Vaše aplikace Windows (a jiné od Microsoftu) již používají kořenový certifikát CAcert, Thunderbird ještě nemusí. Následující procedura Vám řekne, jak importovat kořenový certifikát CAcert do Vašeho e-mailového klienta Thunderbird.
Jděte na web s kořenovými certifikáty CAcert: http://www.cacert.org/index.php?id=3
- Klikněte PRAVÝM tlačítkem myši na 'Kořenový certifikát (formát PEM)' a uložte ho do vhodného umístění.
- Spusťte Thunderbird
- Podle verze Thunderbirdu
- u starších verzí: Preferences-> Privacy-> Security-> View Certificates -> CA
- u verze V2.x: Tools->Options->Encryption->View Certificates->Authorities
- Zvolte "Importovat certifikát" nebo "Import..."
- Uvidíte zprávu:
You have been asked to trust a new Certificate Authority (CA). Do you want to trust "CA Cert Signing Authority" for the following purposes? [ ] Trust this CA to identify web sites. [ ] Trust this CA to identify email users. [ ] Trust this CA to identify software developers. Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available). [VIEW] Examine CA certificate (česky): Dotaz, zda důvěřujete nové certifikační autoritě (CA)? Chcete důvěřovat "CA Cert Signing Authority" (podepisující autoritě Ca Cert) pro tyto účely? [ ] Důvěřuji této CA pro identifikaci webů. [ ] Důvěřuji této CA pro identifikaci uživatelů e-mailu. [ ] Důvěřuji této CA pro identifikaci vývojářů softwaru. Před vyslovením důvěry této CA pro kterýkoli účel prozkoumejte její certifikát a jeho zásady a procedury (jsou-li dostupné). [ZOBRAZIT] Zkontrolujte certifikát CA
Měl(a) byste kliknout na VIEW (ZOBRAZIT) a zkontrolovat certifikát. Nejdůležitější je zkontrolovat "otisky prstů" (fingerprints) certifikátu *2). Měly by se shodovat (v případě kořenového certifikátu CAcert) s:
SHA1 otisk prstu: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33 MD5 otisk prstu: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
- Zavřete prohlížeč certifikátů a označte aspoň první možnost ('Důvěřuji této CA pro identifikaci webů.').
- Stiskněte OK, to je vše.
Jakmile jste instalovali kořenový certifikát do Thunderbirdu (nebo jiné Vaší klientské aplikace), můžete smazat soubor 'root.crt', který jste si stáhl(a) v kroku 2.
To install the CRL, click the 'Revocation Lists' button in Preferences->Advanced->Certificates to open the Manage CRL window. Once there, click the "Import" button, then enter the URL http://crl.cacert.org/revoke.crl, click "OK", and set the automatic update preferences accordingly. Note: it may take a few moments to import the CRL after you click "OK".
Apple Safari
To add the CAcert Root Certificate to Apple Safari, we need to use the Keychain Access application which is shipped with Mac OS X.
To install the certificate system-wide, you need to follow these steps:
Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3
- Click on 'Root Certificate (PEM Format)'. It will be downloaded to your desktop.
- Double click on the 'root.crt' file. The Keychain Access application will be launched
- To check the certificate, click on the 'View Certificates' button on the left side of the dialog
Lion 10.7: 'Certificates' at bottom, but not 'My Certificates.' Click on the root shown in main box.
- A dialog with information about the certificate will pop up.
Lion: skim to bottom to of dialog.
Make sure the following values match:
Fingerprints SHA1: 13 5C EC 36 F4 9C B8 E9 3B 1A B2 70 CD 80 88 46 76 CE 8F 33 MD5: A6 1B 37 5E 39 0D 9C 36 54 EE BD 20 31 46 1F 6B
- Select 'System' from the 'Keychain' dropdownlist and press 'OK'.
Lion: To install for all users, drag the certificate(s) from your 'Certificates' box up and left and drop on 'System'.
- You will be asked to authenticate yourself. After that, the certificate will be installed system-wide.
The Keychain Access application makes certificates available to all applications including Chrome (but not Thunderbird nor Firefox which use Mozilla certificate storing).
Opera Webbrowser
This applies to 8.02 Linux, not sure about 6.x or 7.x
Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3
- Click on 'Root Certificate (PEM Format)'
- Choose 'View'
- Check 'Allow connections to sites using this certificate'
- If desired, uncheck 'Warn me before using this certificate'
There seems to be an occasional problem getting the certification to pass on Opera 8.5 in Windows. Here is the workaround:
- Make sure cache is cleared.
- Attempt to get cert. via Opera ID'ing.
- Attempt to get while ID'ing as IE 6.0 (in Opera).
- Attempt to get while ID'ing as Opera again. This time, cert. should pass through.
It seems there is something about the caching where it wants both IE and Opera set at the same time before it will let the Opera cert. go through. Odd, but it works.
Microsoft Internet Explorer
You have two possibilities using Microsoft Internet Explorer. One is to automatically install it using ActiveX and one is to manually import it.
ActiveX
ActiveX installation (won't work with Windows Vista)
Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3
- Click on 'Click here if you want to import the root certificate into Microsoft Internet Explorer'
- Check that the certificate matches the following:
Fingerprints SHA1: 135CEC36 F49CB8E9 3B1AB270 CD808846 76CE8F33 MD5: A61B375E 390D9C36 54EEBD20 31461F6B
- Click on yes.
Manual Installation (for a single user)
If you want to install the CAcert Root Certificate manually into Internet Explorer do the following:
Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3
- Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter)
Open the Windows Key Store: View -> Tools -> Internet Options -> Content -> Personal -> Certificates
- Choose the
For class1: Trusted Root Certification Authorities tab.
For class3: Intermediate Certification Authorities tab.
- Import the Certificates you downloaded.
Note: This procedure only adds the CAcert Certificates to the current user! If you have multiple user accounts have a look at the next section.
Microsoft Windows
Single user
Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3
- Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter)
- Log in as an Administrator
In Windows Explorer, browse to the class 1 Root certificate you downloaded and right-click it, selecting Install Certificate (and click Open and Next if necessary)
Verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities
Click Next and then Finish. You should get a message saying the import was successful.
In Windows Explorer, browse to the class 3 Intermediate certificate you downloaded and right-click it, selecting Install Certificate (and click Open and Next if necessary)
Verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities
Click Next and then Finish. You should get a message saying the import was successful.
Multiple users
If you have more than one account on your computer you don't want to install the CAcert Root Certificate for every single user. Therefore you can manually import the CAcert Root Certificates into the Local Machine Store. This procedure works only for Microsoft programs (e.g. Internet Explorer and Outlook), so you will also need to import the certificate into non-Microsoft browsers and e-mail programs.
Click the windows Start button and choose Run
Type MMC, then hit Enter
From the new window open the File menu and choose Add/Remove Snap-in...
click the Add Button
choose the certificates item from the listbox and click the Add Button
choose the Computer Account radio button and click the Next Button
choose the Local Computer radio button and click the Finish Button
click the Ok Button
expand the tree to view Trusted Root Certification Authorities node
right click on the Trusted Root Certification Authorities
find the All Tasks menu item then choose Import off that menu and click Next
type in, or browse to the class 1 Root certificate you previously downloaded and click Next
verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities
click Next and then Finish. You should get a message saying the import was successful.
right click on the Intermediate Certification Authorities
find the All Tasks menu item then choose Import off that menu and click Next
type in, or browse to the class 3 Intermediate certificate you previously downloaded and click Next
verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities
click Next and then Finish. You should get a message saying the import was successful.
You may close the MMC window.
Microsoft Outlook
Just follow the Internet Explorer instructions, given above. When using Outlook 2007 you must import class 1 and 3 certificates (if your certificate is signed by the the class 3 certificate). An additional Problem with Outlook 2007 is that it doesn't care about alt names, so make sure your Common Name is set correctly.
Microsoft Outlook 2010 testing
- Outlook 2010 to Outlook 2010 email signing and ciphering should be working fine.
- Email signing works between Win7/Outlook 2010 and Ubuntu 11.04/Thunderbird 6
- Ciphering and signing work from Ubuntu 11.04/Thunderbird 6 to Win7/Outlook 2010
So far, there is no way (based on my tests) to cipher/sign from Win7/Outlook 2010 to Ubuntu 11.04/Thunderbird 6 : Thunderbird complains it cannot decipher the data. Note : there are plenty of new Options in Outlook 2010 to select Hash algo and Cipher algo.
note : some previous testings were done with Jason Curl, in April 2011, with no clear results. We could not figure out which software is broken (Outlook 2010 or Thunderbird version 3)
Import into Microsoft Active Directory Group Policy object
To use certificates generated with CACert.org with any MS office product, you will have to manually import the root certificate into your certificate store, you can do this on your machine from that same interface, BUT if you want to use the certificates across the enterprise you will have to follow this text, borrowed from the MS support website.
Add the third-party root CA to the trusted roots in an Active Directory Group Policy object (GPO). To configure Group Policy in the Windows 2000 domain to distribute the third-party CA to the trusted root store of all domain computers:
Click Start -> Programs -> Administrative Tools -> Active Directory Users and Computers
- In the left pane, locate the domain in which the policy you want to edit is applied.
Right-click the domain, and then click Properties.
Click the Group Policy tab.
Create a new Group Policy by clicking on New and give the new GPO a name
Click on the new object, and then click Edit. A new window opens.
- In the left pane, expand the following items: 'Computer Configuration', 'Windows Settings', 'Security Settings', 'Public Key Policy'
Right-click Trusted Root Certification Authorities.
Select All Tasks, and then click Import.
- Follow the instructions in the wizard to import the certificate.
Click OK.
Close the Group Policy window.
Editing the Default Domain Policy as this wiki previously suggested is a bad idea.
Sha256 support under older Windows System
If you experiences problems using the new Class3 Subroot and creating class3 client certificates, probably your older Windows system (Windows XP, Windows 2003) does not have the patch Microsoft Base Smart Card Crypto Provider (KB909520) installed.
- KB909520 installs support for sha256 and other crypto providers like AES128, AES192, AES256 and more
Further infos about crypto providers under Windows read MSDN library article CryptoAPI Cryptographic Service Providers
Acrobat 6.0
For Acrobat READER 6.0.X, do the following if the Windows Certificate Store includes CAcert root certificate
Edit Menu->Preferences
choose Digital Signatures
Then click the Advanced Preferences button
- Then check the following 3 checkboxes:
- Enable importing of identities from the Windows Certificate Store into the Adobe Trusted Identities List
- Validating Signatures
- Validating Certified Documents
Note: This MAY also work for Acrobat 6 Acedemic, Standard, and Professional versions, but it has not been verified.
Acrobat 7.0 to 10.0
How to add the root CAcert cert to Adobe certificate store as they don't use the Windows cert store.
Question: I am getting the error Certifier's Identity is Unknown ?
To make this simple the reason is because the CACert.org root cert isn't in Adobe, as of Acrobat 7 only 2 CAs have their root cert in Acrobat, GeoTrust and Adobe, this is something you will have to guide your clients through if you want to use another CAs certificates to sign your PDF documents. Acrobat Reader does indeed have the ability to verify its documents against the Windows cert store, at least Acrobat Reader 7 does. To do this:
- Open Acrobat (Reader, Academic, Standard or Professional)
Choose the Edit menu
Choose Preferences
Choose the Security category
Choose the Advanced Preferences button
Choose the Windows Integration tab
- Then check the following 3 checkboxes
- Enable importing of identites from the Windows Certificate Store into the Adobe Trusted Identities List
- validating signatures
- validating certified documents
Remember: this only installs the CAcert Root Certificate into your copy of Acrobat, not any other software (like a web browser or email client).
Google Chrome
Linux
In Linux, Google Chrome uses Mozilla's NSS for the certificates, then you need the certutil tool to manage it.
In Debian/Ubuntu certutil comes from libnss3-tools
$ sudo apt-get install libnss3-tools
and to import the our root certs you simply need to run:
$ wget -O cacert-root.crt "http://www.cacert.org/certs/root.crt" $ wget -O cacert-class3.crt "http://www.cacert.org/certs/class3.crt" $ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt $ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
and now it just works, without needing to restart the browser.
Addtl. external links with further details:
Mac OS X
Chrome uses the system keychain for key management, see the section about Apple Safari for instructions on how to set it up.
External Documentation
Rutgers University FAQ for adding a CA cert to various web browsers
{pt} Root Certificate Installation for Internet Explorer (Carlos Pereira)
https://help.riseup.net/security/certificates/import/ Tutorials from riseup.net for installing the CACert Root Certificate in Firefox, Mozilla, Safari, IE Mac, IE Windows, Thunderbird, Mozilla Mail, Apple Mail, Outlook Windows, Outlook Mac.
Importing and Exporting Digital Certificates with popular Web Browsers by PGP Trustcenter Documentation (IE, FF, Chrome, Safari, Opera with many screenshots)
Leftovers from the original page
Note :
As you may use your personal certs (email certs) for signing documents, lets start with a brief background: "How are you generating your keys?"
When you request a cert from a CA like CACert.org, your computer generates the private key, and a request that you then use to retrieve the signed public key portion from the CA.
If you are using IE to generate this, it automatically stores both portions of your key in the Windows key store. If you are using Firefox, you are going to have a little more trouble, as you will have to export the key from the Firefox key store and import it into the Windows key store before you can use it with Word or any other Office product.
Manually importing/exporting CAcert personal mail certificates into IE
Follow the same instructions as written above.
At that point you may import your entire certificate or back them up, one of the options for backup included a checkbox to include the private key. For simplicities sake, lets assume that you used IE to generate the certificate, thus the certificate is in the store, if not, go back at and do it that way, it will save you headaches.
FAQ
Q My new browser client FF12 returns an error "ssl_error_renegotiation_not_allowed" visiting the page https://community.cacert.org/board/motions.php?motion=
A There is a workaround configuring FF12 settings to allow ssl renegotiation
- enter about:config into the url line
Variant A:
- search for "security.ssl.allow_unrestricted_renego_everywhere_ _temporarily_available_pref" and set it to True
(source: http://my.opera.com/duyda/blog/2011/03/30/ssl-error-renegotiation-not-allowed)
Variant B:
- search for "security.ssl.renego_unrestricted_hosts", add "community.cacert.org,blog.cacert.org" to the string field
Foot notes
x1) If Firefox tells you 'This certificate is already installed as a certificate authority.' someone (such as a network administrator) already imported the root certificate for you.
x2) You also find the fingerprints GPG signed on the CAcert Root Certificate page.