deutsch | english

How can I trust CAcert's root certificate?

See also How to import CAcert root certificate into browser clients

In order to have your browser or system automatically trust all certificates signed by the CAcert Certificate Authority, you must instruct your platform or browser to trust the CAcert root certificate http://www.cacert.org/index.php?id=3.

Note that for all systems, you will need to trust both the root certificate root.crt, as well as the class 3 certificate class3.crt.

Some of this information is already covered in the BrowserClients article, so also look there to see if it has the information you need.

Trusting a new Certificate Authority is a process that varies from one platform to the next, so here are some of the ways to trust the CAcert root certificates. The instructions below will only outline how to trust one certificate, and just repeat the process to trust the second certificate.

WARNING: Always double-check the fingerprint on the downloaded certificates before trusting them. If you don't, you could be trusting a maliciously modified root certificate.

Mac OS X

There are two ways to trust the CAcert root certificates: one from the command line, and one from the Keychain GUI. Each method requires that you use an account with administrative privileges.

Using the Keychain GUI

  1. Download the desired certificate to your desktop from here.

  2. CAUTION: Verify the certificate fingerprints before proceeding!

  3. Open the certificate file, either using Command-O or by double-clicking on the file.
  4. When Keychain appears, select the X509Anchors keychain.

  5. You will be prompted to authenticate with your password to modify the system-wide X509Anchors keychain.

Using the command line

# Download the certificates
curl -k -o "cacert-root.crt"   "https://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "https://www.cacert.org/certs/class3.crt"
#
# CAUTION: Verify the certificate fingerprints before proceeding!
#
# Import the certificates into the desired keychain
sudo certtool i "cacert-root.crt"   k=/System/Library/Keychains/X509Anchors
sudo certtool i "cacert-class3.crt" k=/System/Library/Keychains/X509Anchors
# Clean up after ourselves
rm "cacert-root.crt"
rm "cacert-class3.crt"

10.5 Leopard

If you're using 10.5 Leopard and try the certtool command above, you may see this error message:

***************************************************************
                         WARNING

The keychain you are accessing, X509Anchors, is no longer
used by Mac OS X as the system root certificate store.
Please read the security man page for information on the
add-trusted-cert command. New system root certificates should
be added to the Admin Trust Settings domain and to the
System keychain in /Library/Keychains.
***************************************************************
***Error adding certificate to keychain

The solution is to use the security command with add-trusted-cert instead:

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain cacert-root.crt
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain cacert-class3.crt

Windows

Covering all of the ways to import this certificate into Windows is beyond the scope of this article, and is already covered by How to import CAcert root certificates into browser clients.

Windows: cygwin environment

There is no /etc/ssl; instead, you have to save it in /usr/ssl/certs, and under its special name.

wget "http://www.cacert.org/certs/root.crt" -O /usr/ssl/certs/5ed36f99.0

Location found using "strace wget https://somesite 2>&1 |grep ssl", which obviously fails, but you see the attempt to read a cert at this location.

WindowsMobile

Windows Mobile 5

* On WindowsMobile2005 you need to download the DER-Encoded certificate (pocketIE cannot save it, so you need to store it in a zip-file for download.) * Then you need to rename it to .cer . Only then will you be able to install it with a double-click. * On https://wap.kleinbetrieb.biz/cacert.zip you can find the certificate in a zip, directly downloadable to your device.

* You can also import new certificates using a CAB file in Windows Mobile. Generic instructions on how to make them can be found on the Windows Mobile blog. A premade CAB file with both the Class 1 and Class 3 certificates can be found at http://jacob.steenhagen.us/CAcert.cab. This CAB, signed by Jacob Steenhagen's CAcert certificate, can simply be downloaded to your device and installed. You can verify the certificates are genuine by opening the CAB file and inspecting _setup.xml ensuring that the line before the <param/> (which contains the actual certificate) reads:

   <characteristic type="135cec36f49cb8e93b1ab270cd80884676ce8f33">

for class 1 and:

   <characteristic type="db4c4269073fe9c2a37d890a5c1b18c4184e2a2d">

for class 3. (Note: These should be verified against the Internet Explorer thumbprint at http://www.cacert.org/index.php?id=3).

PocketPC2002

To verify the certificate has been successfully imported into the Pocket PC device:

notes

(Note that for wap1.x-gateways there is no way to host encrypted wap-pages if your provider's wap-gateway does not have the certificate because it's not end-to-end but decrypted on the gateway, not the device.)

Linux

How your particular distribution will need to be modified to trust the CAcert root certificates will vary from one distribution to the next. However, there are some distributions about which we know some information, listed below.

Otherwise, you can obtain the certificates from the website as usual, from here.

On ubuntu : try
sudo apt-get install ca-certificates
when installed the package is installedn, you can do :
dpkg-query -L ca-certificates
to have the list of the root certs

Debian

As of March 2014, Debian no longer distributes CACert root certificates as part of Debian packages.

You can still import CACert root certificates using the following:

$ wget http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
$ sudo cp root.crt /usr/local/share/ca-certificates/cacert-root.crt
$ sudo cp class3.crt /usr/local/share/ca-certificates/cacert-class3.crt
$ sudo update-ca-certificates

This should output something like this:

$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:cacert-class3.pem
Adding debian:cacert-root.pem
done.
done.

Then, you are done. See man update-ca-certificates and /usr/share/doc/ca-certificates/README.Debian from the ca-certificates package for more information.

KDE

The CAcert root certificate can be added to KDE's certificate store so that all KDE applications, including Konqueror, will trust certificates signed by it.

Symbian

Nokia E61

Java

$ keytool -keystore $/PATH/TO/CACERTS/KEYSTORE -storepass changeit -import -trustcacerts -v -alias cacertclass1 -file root.crt
$ keytool -keystore $/PATH/TO/CACERTS/KEYSTORE -storepass changeit -import -trustcacerts -v -alias cacertclass3 -file class3.crt

Typical locations of the cacerts keystore:

Acrobat Reader

See also AdobeReader.

Procedure for Acrobat 8:

Android Phones & Tablets

Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...

Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.

System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.

Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.

CAcert user trusted certificates

Download the certificate files ('root.crt' and 'class3.crt') onto the internal flash storage (the '/sdcard' or any subfolder). Browse to this folder with the file manager and open 'root.crt'. Although there might not be an icon for certificates and the files will have a '?'-icon, files will be opened with the certificate manager, asking you for a name to describe the to-be-imported certificate. If it is the first user certificate you install, the Android Security Model forces you to use a lock-screen to unlock your device (see "CAcert system trusted certificates" if you really need to avoid this) Repeat with the 'class3.crt' file. Check if both certificate files are installed correctly, Settings -> Security -> Certificates -> 'User'-section should now list the certificates you have just installed.

CAcert system trusted certificates (without lockscreen)

The existing method of importing user certificates works fine, but it has the disadvantage that it requires a PIN / password lockscreen whenever user certificates are installed. By installing the CAcert certificates as system certificates, these files are better protected from tampering by malicious apps, and there is no lockscreen requirement (allows 'Slide to unlock' or no lock at all). You will need a rooted phone (or at least temporary root access), and a system with openssl software for creating the new certificates.

The next steps will show you how to create Android compatible certificate files from the original CAcert certificate files, how to install/import them on your android device, and how to verify everything is correctly installed.

Creating

We will create Android compatible certificate files from the original CAcert certificate files. Get the CAcert root certificates from the cacert.org website https://www.cacert.org/index.php?id=3 Download the root certificate PEM format (root.crt) and the Class 3 PKI key in PEM format (class3.crt) Get the hash of the root.crt certificate:

openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1

This shows you the hash, in the case of the CAcert PEM file 'root.crt' it is '5ed36f99' (note the use of '-subject_hash_old' instead of '-subject_hash', to get an openssl 0.9 compatible hash) We will use this hash value, append '.0' (dot zero) and use this as the filename for the resulting Android certificate:

cat root.crt > 5ed36f99.0
openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0

Repeat these steps for the Class 3 PEM certificate file 'class3.crt'. If things go well you will end up with the files 5ed36f99.0 and e5662767.0 (if you get the hash values 590d426f and 99d0fa06, you are not using the '-subject_hash_old' parameter to openssl). The md5sum of the certificate files:

md5sum 5ed36f99.0
05e5fcd7af6ba52e254d065b734213ab  5ed36f99.0

md5sum e5662767.0
000e8e995568091e1d411ff6deb4c118  e5662767.0

Importing

We now have Android compatible certificate files, and we will import them into Android 'System' certificate store

Copy the files to the /sdcard folder, either with any file manager or with adb push. Go into adb shell (adb shell from commandline), or open the 'terminal'-application on your android device. You will get a command prompt similar like shell@android:/ $ Gain superuser/root rights, neccessary to perform privileged actions:

su

Make the /system folder writable (will return to read-only upon reboot):

mount -o remount,rw /system

Copy the new certificate files to the correct folder on your Android device:

cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
cp /sdcard/e5662767.0 /system/etc/security/cacerts/

Correct the file permissions to u=rw, g=r, o=r:

cd /system/etc/security/cacerts/
chmod 644 5ed36f99.0
chmod 644 e5662767.0

Check if the files are ok:

ls -al -Z

Omit '-Z' if you are using a version of Android without SElinux, it just shows some extra security settings which might be useful if you run into trouble.

Amongst the other default android certificate files, you will see the two new files:

-rw-r--r-- root     root              u:object_r:system_file:s0 5ed36f99.0
-rw-r--r-- root     root              u:object_r:system_file:s0 e5662767.0

The certificates will be loaded upon the next boot of your device, so reboot your device:

reboot

Verifying

To verify certificates are installed correctly, go to Settings -> Security -> Certificates. It should list both "CAcert Inc." and "Root CA" among the other certificates in the 'System' section. Make sure that these CAcert certificates are not also in the 'User' (user defined) section. From your android device, visit https://www.cacert.org. If you do not see a warning about missing or untrusted certificates, all went well.

Note that some browsers might use their own certificate store instead of the Android one, you might need to import certificate files into those browsers as well.

If you are unable to disable the Android PIN/Pattern lock screen after installing the system certificates, you might need to "Clear/delete credentials" (in Settings -> Security) even though you have removed all user certificates.

If you run into problems, compare the md5 sum of the certificate files with the md5 values in this article, check the file permissions of the newly installed files. Make sure no user certificates are installed (Settings -> Security -> Clear certificates), and make sure you are using a browser app that uses the android certificate store and does not implement an own certificate store.

In the future, newer versions of openssl might be used on Android, if so, you might need to drop the "_old"-part of the "-subject_hash_old" openssl parameter.

References

How to install CAcert certificates on Android ICS, Jelly Bean and newer by Sebastiaan Giebels

CyanogenMod forum with identical article by Sebastiaan Giebels

Adding SSL root certificates to Android Ice Cream Sandwich and Jellybean by Patrick Vande Walle containing specific OpenSSL details

StackOverflow - user2708846 comment on how to create correct Android certificate files

Description of the ICS Trust Store Implementation by Nikolay Elenkov

Cyanogenmod wiki (old) - articke on adding a CA without requiring a PIN(makes the mistake of not using the certificate hash as filename)

StackExchange - Install CA without having to activate screen lock

Palm Pre (webOS)

Starting with webOS 1.2, the proceeding for adding the root certificates to the Palm Pre is extremely simple and can be done entirely on the phone.

  1. Visit http://www.cacert.org/index.php?id=3 in the Pre's browser (http://www.cacert.org and click on Root Certificates)

  2. Under Class 1, click the link for Root Certificate (PEM Format)

  3. A gray progress will appear at the bottom of the screen. Once the certificate is fully downloaded, an arrow will appear on the right side of the bar
  4. Click on the bar containing root.crt and the aforementioned arrow

  5. The certificate manager will open giving you the ability to view detail and accept or reject the certificate
    • Unfortunately, I don't see anything on that details screen to validate the fingerprint
  6. Click on the "Trust Certificate" button
  7. Repeat for Class 3, Intermediate Certificate (PEM Format)

Note: prior to webOS 1.2 you had to copy the .crt files to the phone's memory using USB mode, load the certificate manager (Device Info; More Info (button at bottom); Certificate Manager (Preferences menu at top)), and import the certificates (icon in lower left of screen to browse for them).

How can I be sure that it is authentic?

There are many ways to ensure that you have an authentic, non-tampered copy of the root certificates, all of which boil down to having a trusted party verify the certificate fingerprints. In some cases, your system distribution is the trusted party, but you can also verify it for yourself.

Finding the correct fingerprints

CAcert is working to provide multiple places to verify the certificate fingerprints. The following are already known ways to find authentic copies of the CAcert root certificate fingerprints.

CAcert is currently working on providing fingerprints through these additional means:

FAQ/ImportRootCert (last edited 2014-10-08 08:51:31 by JonathanBallet)