• FAQ
• ImportRootCert

Clear message

How can I trust CAcert's root certificate?

See also How to import CAcert root certificate into browser clients

In order to have your browser or system automatically trust all certificates signed by the CAcert Certificate Authority, you must instruct your platform or browser to trust the CAcert root certificate http://www.cacert.org/index.php?id=3.

Note that for all systems, you will need to trust both the root certificate root.crt, as well as the class 3 certificate class3.crt.

Some of this information is already covered in the BrowserClients article, so also look there to see if it has the information you need.

Trusting a new Certificate Authority is a process that varies from one platform to the next, so here are some of the ways to trust the CAcert root certificates. The instructions below will only outline how to trust one certificate, and just repeat the process to trust the second certificate.

WARNING: Always double-check the fingerprint on the downloaded certificates before trusting them. If you don't, you could be trusting a maliciously modified root certificate.

Mac OS X

There are two ways to trust the CAcert root certificates: one from the command line, and one from the Keychain GUI. Each method requires that you use an account with administrative privileges.

Using the Keychain GUI

1. Download the desired certificate to your desktop from here.

2. CAUTION: Verify the certificate fingerprints before proceeding!

3. Open the certificate file, either using Command-O or by double-clicking on the file.

4. When Keychain appears, select the X509Anchors keychain.

5. You will be prompted to authenticate with your password to modify the system-wide X509Anchors keychain.

Using the command line

# Download the certificates
curl -k -o "cacert-root.crt"   "https://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "https://www.cacert.org/certs/class3.crt"
#
# CAUTION: Verify the certificate fingerprints before proceeding!
#
# Import the certificates into the desired keychain
sudo certtool i "cacert-root.crt"   k=/System/Library/Keychains/X509Anchors
sudo certtool i "cacert-class3.crt" k=/System/Library/Keychains/X509Anchors
# Clean up after ourselves
rm "cacert-root.crt"
rm "cacert-class3.crt"

10.5 Leopard

If you're using 10.5 Leopard and try the certtool command above, you may see this error message:

***************************************************************
                         WARNING

The keychain you are accessing, X509Anchors, is no longer
used by Mac OS X as the system root certificate store.
Please read the security man page for information on the
add-trusted-cert command. New system root certificates should
be added to the Admin Trust Settings domain and to the
System keychain in /Library/Keychains.
***************************************************************
***Error adding certificate to keychain

The solution is to use the security command with add-trusted-cert instead:

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain cacert-root.crt
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain cacert-class3.crt

Windows

Covering all of the ways to import this certificate into Windows is beyond the scope of this article, and is already covered by How to import CAcert root certificates into browser clients.

Windows: cygwin environment

There is no /etc/ssl; instead, you have to save it in /usr/ssl/certs, and under its special name.

wget "http://www.cacert.org/certs/root.crt" -O /usr/ssl/certs/5ed36f99.0

Location found using "strace wget https://somesite 2>&1 |grep ssl", which obviously fails, but you see the attempt to read a cert at this location.

WindowsMobile

Windows Mobile 5

* On WindowsMobile2005 you need to download the DER-Encoded certificate (pocketIE cannot save it, so you need to store it in a zip-file for download.) * Then you need to rename it to .cer . Only then will you be able to install it with a double-click. * On https://wap.kleinbetrieb.biz/cacert.zip you can find the certificate in a zip, directly downloadable to your device.

* You can also import new certificates using a CAB file in Windows Mobile. Generic instructions on how to make them can be found on the Windows Mobile blog. A premade CAB file with both the Class 1 and Class 3 certificates can be found at http://jacob.steenhagen.us/CAcert.cab. This CAB, signed by Jacob Steenhagen's CAcert certificate, can simply be downloaded to your device and installed. You can verify the certificates are genuine by opening the CAB file and inspecting _setup.xml ensuring that the line before the <param/> (which contains the actual certificate) reads:

   <characteristic type="135cec36f49cb8e93b1ab270cd80884676ce8f33">

for class 1 and:

   <characteristic type="db4c4269073fe9c2a37d890a5c1b18c4184e2a2d">

for class 3. (Note: These should be verified against the Internet Explorer thumbprint at http://www.cacert.org/index.php?id=3).

PocketPC2002

• There is a tool contained in the zip-file downloadable at http://support.microsoft.com/default.aspx?scid=kb;en-us;322956 (pocketIE on a wm2005-device could not display the html-page here but another browser might do.). This tool will only work with Self-Issued certificates.

• Load the CA Cert into Internet Explorer as a trusted root.
• Export the certificate from IE as a DER encoded binary X.509 (.CER)
• Upload the file to your PocketPC
• In the File Manager, locate the uploaded certificate and click on it to open and import it.
• After loading the certificate, warm-reset the Pocket PC to make it read the new root certificate.

To verify the certificate has been successfully imported into the Pocket PC device:

• In the Settings menu, tap the "System" tab. Then tap "Certificates".
• Tap on the "Root" tab. You should now see the new CA Cert root certificate that you added.

notes

(Note that for wap1.x-gateways there is no way to host encrypted wap-pages if your provider's wap-gateway does not have the certificate because it's not end-to-end but decrypted on the gateway, not the device.)

Linux

How your particular distribution will need to be modified to trust the CAcert root certificates will vary from one distribution to the next. However, there are some distributions about which we know some information, listed below.

• Debian: Install the ca-certificates package.

• Knoppix: CD versions newer than 3.8 have the certificates already.

• Red Hat 5+: wget -O - http://www.cacert.org/certs/root.txt >> /etc/pki/tls/certs/ca-bundle.crt (this will be overridden by updated openssl RPMs so it is likely not the best method)

• Red Hat 4: Change the above location of ca-bundle.crt to /usr/share/ssl/certs/ca-bundle.crt

Otherwise, you can obtain the certificates from the website as usual, from here.

On debian/ubuntu : try
sudo apt-get install ca-certificates
when installed the package is installedn, you can do :
dpkg-query -L ca-certificates
to have the list of the root certs

KDE

The CAcert root certificate can be added to KDE's certificate store so that all KDE applications, including Konqueror, will trust certificates signed by it.

• Download the certificate(s) in PEM or DER format.

• In the KDE Control Center, under "Security & Privacy > Crypto," go to the "SSL Signers" page, and click "Import."

• Choose a certificate you downloaded.
• You may be asked whether to make the certificate available to KMail as well. This is recommended.

• IMPORTANT! Find the certificate in the list (it may help to sort by "Organizational Unit" and then look for "http://www.cacert.org"), click on it, and verify that the MD5 digest shown at the bottom of the window matches the one shown on the download page.

Symbian

Nokia E61

• Download the root and class 3 certificates in der format

• Copy the certificates to the E61 (the E61 cannot read the files direct from the web)
• Open each certificate in File Manager, and save the certificate. You will have to confirm this as the E61 believes that the certificates may be unsafe.

Java

$ keytool -keystore $/PATH/TO/CACERTS/KEYSTORE -storepass changeit -import -trustcacerts -v -alias cacertclass1 -file root.crt
$ keytool -keystore $/PATH/TO/CACERTS/KEYSTORE -storepass changeit -import -trustcacerts -v -alias cacertclass3 -file class3.crt

Typical locations of the cacerts keystore:

• /usr/lib/jvm/java-$VERSION/jre/lib/security/cacerts

Acrobat Reader

See also AdobeReader.

Procedure for Acrobat 8:

• Menu Document -> Manage Trusted Identities...

• Display: Certificates
• Button "Add COntacts..."
• "Browse" to the root certificates
• Edit trust to your liking. "Signatures and as trusted root" is the essential thing, the others are optional.

Android Phones

Way 1: on Android 4.0 and higher.

Prerequisites:

• Android 4.0 or higher
• a buildin screen locker like password, pattern or PIN (else the certificate store within Android won't accept user-defined certificates.)

• a local copy of the CACert-RootCertificates or a web-based access.

NO root-access is required on the Android-device, with Android 4.0 exists a builtin GUI for this.

If you have a local copy open the certificates via a file browser with the certificate installation wizard (if asked). Follow the descriptions there and you are done.

If you want to download the copy from the CACert.org website directly you can do. Once you open the downloaded file (e.g. via the downloads manager of your device) the process is the same: open it with the certificate installation wizard and follow the instructions.

Way 2: Android SDK

Prerequisites:

• On Phone
  • Root access
• On Computer
  • Java 1.6
  • Android SDK
  • Root/Administrator access, or CLASSPATH editing skills

Step 1: Obtain required files

• Download http://bouncycastle.org/download/bcprov-jdk16-141.jar and place it on $JAVA_HOME/jre/lib/ext/

• Download http://www.cacert.org/certs/root.crt to your work directory

• Optional: Download http://www.cacert.org/certs/class3.crt to your work directory

Step 2: Fetch cacerts.bks from phone

$ adb pull /system/etc/security/cacerts.bks cacerts.bks
407 KB/s (51899 bytes in 0.124s)

(File sizes and transfer speeds may vary)

Step 3: Import CAcert into cacerts.bks

$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT -file root.crt
Owner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Serial number: 0
Valid from: Sun Mar 30 09:29:49 GMT-03:00 2003 until: Tue Mar 29 09:29:49 GMT-03:00 2033
Certificate fingerprints:
         MD5:  A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
         SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
         Signature algorithm name: MD5withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 16 B5 32 1B D4 C7 F3 E0   E6 8E F3 BD D2 B0 3A EE  ..2...........:.
0010: B2 39 18 D1                                        .9..
]
]

#3: ObjectId: 2.16.840.1.113730.1.8 Criticality=false

#4: ObjectId: 2.16.840.1.113730.1.4 Criticality=false

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: https://www.cacert.org/revoke.crl]
]]

#6: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 16 B5 32 1B D4 C7 F3 E0   E6 8E F3 BD D2 B0 3A EE  ..2...........:.
0010: B2 39 18 D1                                        .9..
]

[EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA]
SerialNumber: [    00]
]

#7: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

Trust this certificate? [no]:  yes
Certificate was added to keystore

Verify whether import was successful:

$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list| grep -i cacert
Alias name: CACERT
Owner: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,E=support@cacert.org
Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,E=support@cacert.org

Optional: Repeat this step for class3.crt, using -alias CACERT3. Verification should report both certificates available then.

Step 4: Upload cacerts.bks to phone

To write the file back to your /system partition you have to remount it with read-write permissions.

# remount /system read-write
$ adb shell mount -o remount,rw /system

If this command does not work on your phone, use mount to find out how /system is mounted. E.g. on a Samsung Galaxy S you find a rfs file system and the working syntax was

mount -o rw,remount -t rfs /dev/block/stl9 /system

# upload the new certs file
$ adb push cacerts.bks /system/etc/security/
780 KB/s (53788 bytes in 0.067s)

# remount /system read-only
$ adb shell mount -o remount,ro /system
## Samsung Galaxy: mount -o ro,remount -t rfs /dev/block/stl9 /system

Step 6: Reboot your phone

Reboot to ensure the certificate list gets reloaded.

Try https://www.cacert.org (warning should disappear)

Way 3: Android Terminal Emulator

Prerequisites:

• On Phone
  • Root access
  + any possibility to copy a file from SD card to computer

Step 1: Obtain required files

• Download http://bouncycastle.org/download/bcprov-jdk16-141.jar and place it on $JAVA_HOME/jre/lib/ext/

• Download http://www.cacert.org/certs/root.crt to your work directory

• Optional: Download http://www.cacert.org/certs/class3.crt to your work directory

Step 2: Fetch cacerts.bks from phone

cp /system/etc/security/cacerts.bks /sdcard/

Copy the file to your computer.

Step 3: Import CAcert into cacerts.bks

Same as in way 1.

Step 4: Upload cacerts.bks to phone

Copy the new cacerts.bks back to the SD card.

Execute the commands given above in Step 4 directly in your Android Terminal Emulator. (As above, find out how your /system partition is mounted.)

mount -o remount,rw /system
## or on Galaxy S with rfs filesystem: mount -o rw,remount -t rfs /dev/block/stl9 /system

## upload the new certs file
cp /sdcard/cacerts.bks /system/etc/security/
780 KB/s (53788 bytes in 0.067s)

# remount /system read-only
mount -o remount,ro /system
## or: mount -o ro,remount -t rfs /dev/block/stl9 /system

Step 6: Reboot your phone

See way 1!

Howto in German language

• silkemeyer blog

Palm Pre (webOS)

Starting with webOS 1.2, the proceeding for adding the root certificates to the Palm Pre is extremely simple and can be done entirely on the phone.

1. Visit http://www.cacert.org/index.php?id=3 in the Pre's browser (http://www.cacert.org and click on Root Certificates)

2. Under Class 1, click the link for Root Certificate (PEM Format)

3. A gray progress will appear at the bottom of the screen. Once the certificate is fully downloaded, an arrow will appear on the right side of the bar

4. Click on the bar containing root.crt and the aforementioned arrow

5. The certificate manager will open giving you the ability to view detail and accept or reject the certificate
   • Unfortunately, I don't see anything on that details screen to validate the fingerprint
6. Click on the "Trust Certificate" button

7. Repeat for Class 3, Intermediate Certificate (PEM Format)

Note: prior to webOS 1.2 you had to copy the .crt files to the phone's memory using USB mode, load the certificate manager (Device Info; More Info (button at bottom); Certificate Manager (Preferences menu at top)), and import the certificates (icon in lower left of screen to browse for them).

How can I be sure that it is authentic?

There are many ways to ensure that you have an authentic, non-tampered copy of the root certificates, all of which boil down to having a trusted party verify the certificate fingerprints. In some cases, your system distribution is the trusted party, but you can also verify it for yourself.

• If your system is mentioned above, you can follow those instructions to ensure you have a authentic copy of the CAcert root certificates.

• You can manually download and verify the certificates from here.

Finding the correct fingerprints

CAcert is working to provide multiple places to verify the certificate fingerprints. The following are already known ways to find authentic copies of the CAcert root certificate fingerprints.

• You can decrypt the GPG signed message from here here and compare the certificate fingerprints contained in the message with those contained in your downloaded certificates.

• Obtain a copy printed on the AssuranceForms; ask for one at the next event.

• Find them in the Impressum of Linux Magazin

CAcert is currently working on providing fingerprints through these additional means:

• Business cards with the fingerprints printed on them.
• Listing the fingerprints in additional magazines.

External websites with generally accepted server certificates:

• https://image.rayservers.com/ssl/cacert/root.crt

• https://image.rayservers.com/ssl/cacert/class3.crt

---

another way is published in German CAcertImportFürAndroidImport

---

• CategoryCommunity

• CategoryConfiguration

• CategoryGuide

• CategorySoftware

• CategorySupport