Importing root CA Certificates
M. Gallant 07/26/2001
The links below provide screen shots of the end-user process involved
in importing a root CA digital certificate into the two main browsers
Netscape Messenger and Internet Explorer and into Sun JRE and Java Web Start
. Netscape, IE and the Sun products are all preconfigured
with a "database" containing several well known
root CA certificates from well known issuing authorities. The process of
importing extra root CA certificates has important security and trust
implications, and should only be considered for trusted
issuing sources, a typical example being certificate authorities on company
intranets. Several development environments offer the capability of generating
"self-signed certificates" which are essentially root CA certificates. Do not
import any such certificates from any sources that you do not completely trust.
Note that both browsers support removing/deleting any imported root CA certificates.
The procedure below will vary somewhat for different versions of
the browsers, different versions of the JRE and different operating systems:
JavaPlugin1.3.0_01 : Note that starting with this release of Plugin on Win32 platform,
the root CA certificate verification checking does NOT involve the Microsoft cryptoAPI certificate database!
JRE1.3.0_01 cacerts file must contain the issuer's certificate, as shown in the
applet panel. For standard
(Verisign, Thawte etc..) CAs, this is not a problem, as cacerts contains these certificates as distributed.
However, for custom CA certs (e.g. enterprise CAs), the CA cert must be explicitly imported, as
described in Import root CA Certificate for Java2 (JRE1.2+) .
This significant change has been discussed and critiqued in the
Java Bug Database
as Bug Id 4424604.
The certificate import dialogs described at the above links will be displayed by the browsers provided that
the publishing web-server maps the MIME-type of the certificate file extension (typically .cer, crt, .der etc..)
to application/x-x509-ca-cert. This greatly facilitates the certificate import
process. By contrast currently there is no such process for automated network importing of certificates into
the J2RE cacerts file.