Importing root CA Certificates

M. Gallant 07/26/2001

The links below provide screen shots of the end-user process involved in importing a root CA digital certificate into the two main browsers Netscape Messenger and Internet Explorer and into Sun JRE and Java Web Start . Netscape, IE and the Sun products are all preconfigured with a "database" containing several well known root CA certificates from well known issuing authorities. The process of importing extra root CA certificates has important security and trust implications, and should only be considered for trusted issuing sources, a typical example being certificate authorities on company intranets. Several development environments offer the capability of generating "self-signed certificates" which are essentially root CA certificates. Do not import any such certificates from any sources that you do not completely trust. Note that both browsers support removing/deleting any imported root CA certificates. The procedure below will vary somewhat for different versions of the browsers, different versions of the JRE and different operating systems:

JavaPlugin1.3.0_01 : Note that starting with this release of Plugin on Win32 platform, the root CA certificate verification checking does NOT involve the Microsoft cryptoAPI certificate database! Now, the JRE1.3.0_01 cacerts file must contain the issuer's certificate, as shown in the applet panel. For standard (Verisign, Thawte etc..) CAs, this is not a problem, as cacerts contains these certificates as distributed. However, for custom CA certs (e.g. enterprise CAs), the CA cert must be explicitly imported, as described in Import root CA Certificate for Java2 (JRE1.2+) .
This significant change has been discussed and critiqued in the Java Bug Database as Bug Id 4424604.

The certificate import dialogs described at the above links will be displayed by the browsers provided that the publishing web-server maps the MIME-type of the certificate file extension (typically .cer, crt, .der etc..) to application/x-x509-ca-cert. This greatly facilitates the certificate import process. By contrast currently there is no such process for automated network importing of certificates into the J2RE cacerts file.