The best way to make your web browser trust SSL certificates you create yourself is to add your own root certificate to your operating system. Your web browser will trust any certificate it can trace back to a root certificate that resides either in the browser's trusted store or in the operating system's trusted store. The benefit of installing the root to your operating system is that every browser on your computer will trust all certificates you create from that root. The GitHub project rickapps/self-signed-ssl-chain demonstrates how to create your own certificate chains that behave identically to the SSL certificates you purchase.
Root certificates must meet two criteria: 1) Self-signed, meaning Issuer and Subject are equal 2) Basic Constraints attribute CA is True and marked critical. Use the following command to see if your certificate qualifies (works with both .crt and .pem extensions):
openssl x509 -in mycert.pem -text -noout About midway through the output of the above command you will see the X509v3 extensions:
- The Subject Key Identifier and the Authority Key Identifier should match because the certificate is self-signed. At the top of the output you will see the Issuer and Subject match as well.
- It is a Certificate Authority. Root certificates must contain Basic Constraints: critical CA:TRUE If either condition is not met, the certificate is not a valid root certificate and cannot be installed as such.
Your certificate should have extension pem. If it is in any other format, convert it to a pem file.
openssl x509 -in rootCA.crt -out rootCA.pem -outform PEM Copy or move the pem file to /etc/pki/ca-trust/source/anchors, then run update-ca-trust
sudo cp ./rootCA.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trustOf course Ubuntu/Debian has to be different from Fedora. Your root certificate file should have extension crt. Also note the different folder and the different update command.
sudo cp ./rootCA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesThe root certificate should be in a crt file. If you have it packaged as a pem file, you can convert it.
openssl x509 -in rootCA.pem -out rootCA.crtOpen the Start menu and type mmc for Microsoft Management Console. Open the program that has the red toolbox icon. From the File menu of mmc, select Add/Remove Snap-in to display the Snap-in Wizard. You want to install the snap-in called Certificates if it is not already installed. Follow the wizard and select Computer Account and Local Computer when prompted.
Now you can browse all the certificates on the computer. You want to add a new root certificate to those listed in the Trusted Root Certification Authorities section. From the top menu bar select Action/All Tasks/Import... and select your certificate file to import.
Your web browser will list all trusted root certificates. Typically your web browser ships with its own set of trusted roots. But it will supplement its store of trusted roots with the root certificates trusted by your operating system. This feature is usually turned on by default, but you can change that in your browser's settings. Use your web browser to check if your browser trusts your newly installed root certificate.
From Settings select Privacy & Security. Scroll down to Security then click View Certificates. You Should see your new certificate in the list of Authorities.
![[FireFoxScreenShot]](https://private-user-images.githubusercontent.com/13374306/399126699-d46335e7-0423-4914-a3e7-f21ebd80eae8.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDQ3MzcyNTMsIm5iZiI6MTc0NDczNjk1MywicGF0aCI6Ii8xMzM3NDMwNi8zOTkxMjY2OTktZDQ2MzM1ZTctMDQyMy00OTE0LWEzZTctZjIxZWJkODBlYWU4LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA0MTUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwNDE1VDE3MDkxM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTk4NmNkZGQ3NDNhMTUwZjJjZGMyYzljYzNhNjAzOWE3YjdjYzY5ZmZmODM4YTk2OWMxYmQ0ZjcyNzE1ODMwOTcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.iXS_e9LBPUfWY-8ZY404fZNwPe6cJF_abHKEHWgJnfE)
From Settings select Privacy and security, then select *Security. * Scroll down to Manage Certificates and select. You should see your root certificates listed on the Authorities tab.
From Settings type Security into the search field. Click on Manage certificates, then select the Trusted Root Certification Authorities tab to see your new certificate.
