Updated on 2023-12-19 GMT+08:00

Trusting a Private Root CA

Before installing a private certificate, you need to add the root CA to the trusted root certificate authorities of the client or server.

Prerequisites

You have created and exported a private root CA. For details, see Exporting a Private CA Certificate.

Constraints

  • One-way authentication

    To win more trust from the client for your server, you need to add the root CA that issue the server certificate to the client-end trusted CA store.

  • Two-way authentication

    To enable two-way authentication between a server and a client, each side needs to add the root CA of the other side to their own trusted root CA store.

Procedure

Use either of the following methods to add the root CA to trusted root certification authorities based on the operating system:

Root CA PCA TEST ROOT G0 is used as an example.

  • Windows
    1. Change the file name extension of the root CA certificate from .pem to .crt. and double-click the certificate file. The root CA certificate information shows that the root certificate is untrusted.
      Figure 1 Root CA not trusted
    2. Click Install Certificate, select a certificate storage location based on the certificate usage, and click Next.
    3. As shown in Figure 2, select Place all certificates in the following store and click Browse. Then, select Trusted Root Certification Authorities and click OK.
      Figure 2 Storing a root certificate
    4. Click Next, and then click OK. A dialog box is displayed, indicating that Windows will trust all certificates issued by the private root CA. Click Yes.
    5. Double-click the root CA certificate file. If the Certificate Information area shows that the system trusts the root CA certificate, the root CA is added to the trusted root CAs.
      Figure 3 Trusted root CA
  • Linux

    The path for and method of storing root CA certificates vary depending on Linux OS versions. The following procedure use CentOS 6 as an example:

    1. Copy the root CA certificate file to the /home/ directory.
    2. If ca-certificates is not installed on the server, run the following command to install ca-certificates:

      yum install ca-certificates

    3. Copy the root CA certificate to the /etc/pki/ca-trust/source/anchors/ directory:

      cp /home/root.crt /etc/pki/ca-trust/source/anchors/

    4. Add the root CA certificate to the trusted root certificate file:

      update-ca-trust extract

    5. Check whether the information about the newly added root CA certificate is included in the command output:

      view /etc/pki/tls/certs/ca-bundle.crt

      Figure 4 Root CA certificate added to the trusted CA list

    If the OpenSSL version is too old, the configuration may not take effect. You can run the yum update openssl -y command to update the OpenSSL version.

  • macOS
    1. Open the macOS startup console and select Keychain Access.
    2. Enter the password to log in to Keychain Access.
    3. Drag and drop the target root CA certificate into Keychain Access. The root CA certificate now is untrusted by the system.
    4. Right-click the root CA certificate to load its details.
    5. Click Trust, select Always Trust for When using this certificate, and click Close.
    6. Enter the password to make the configuration of the trusted root CA certificate take effect.
    7. View the root CA certificate on the Keychain Access window. If the certificate is trusted by the system, the root CA is successfully added to the trusted root CA store.