Distributing Your CA to Client Browsers by Rob Flickenger, author of Linux Server Hacks 02/20/2003

Installing your shiny new Certificate Authority certificate to client browsers is just a click away

In order for your client browsers to trust your new Certificate Authority, they must be configured to accept your CA's public key. There are two possible formats that browsers will accept for new certificate authority certs: pem and der. You can generate a der from your existing pem with a single OpenSSL command:

openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der

Also, add the following line to your conf/mime.types file in your Apache installation:

application/x-x509-ca-cert      der pem crt

Now restart Apache for the change to take effect. You should now be able to place both the cacert.der and demoCA/cacert.pem files anywhere on your web server, and have clients install the new cert by simply clicking on either link.

Early versions of Netscape expected pem format, but recent versions will accept either. Internet Explorer is just the opposite (early IE would accept only der format, but recent versions will take both). Other browsers will generally accept either format.

A dialog box will open in your browser when you download the new Certificate Authority, asking if you'd like to continue. Accept the certificate, and that's all there is to it. Now SSL certs that are signed by your CA will be accepted without warning the user.

Keep in mind that Certificate Authorities aren't to be taken lightly. If you accept a new CA in your browser, you had better trust it completely--a mischevious CA manager could sign all sorts of certs that you should never trust, but your browser would never complain (since you claimed to trust the CA when you imported it). Be very careful about who you extend your trust to when using SSL-enabled browsers. It's worth looking around in the CA cache that ships with your browser to see exactly who you trust by default.

For example, did you know that AOL/Time Warner has its own CA? How about GTE? Or Visa? CA certificates for all of these entities (and many others) ship with Netscape 7.0 for Linux, and are all trusted authorities for web sites, email, and application add-ons, by default. Keep this in mind when browsing SSL-enabled sites: if any one of the default authorities have signed online content, then your browser will trust it without requiring operator acknowledgment.

If you value your browser's security (and, by extension, the security of your client machine), then make it a point to review your trusted CA relationships.

Resources

For more on OpenSSL, creating Certificate Authorities, and my book on Linux Hacks, check out these resources:

• OpenSSL FAQ

• Creating Your Own CA

• Linux Server Hacks

Rob Flickenger is a long time supporter of FreeNetworks and DIY networking. Rob is the author of three O'Reilly books: Building Wireless Community Networks, Linux Server Hacks, and Wireless Hacks.

O'Reilly & Associates recently released (January 2003)Linux Server Hacks.

• Read sample hacks from this book on hacks.oreilly.com.

• You can also look at the Table of Contents, the Index, and the full description of the book.

• For more information, or to order the book, click here.

---

Return to the Linux DevCenter.