Importing Root Certificates

www.altova.com Print this Topic Previous Page Up One Level Next page

Home >  Configuring the Server > Setting up SSL Encryption > Creating Self-Signed SSL Certificates >

Importing Root Certificates

When you create your own certificate authority (CA), the root certificate is self-signed; therefore, no browser will trust it by default. In other words, any browser connecting to FlowForce Server will still display a warning like "This site is not trusted". In order for an HTTP client (such as a browser) to trust your self-signed certificate, the certificate must be imported as follows:

 

Into the operating system's trusted certificates store, if the browser uses the latter. On Windows, for example, Google Chrome and Microsoft Edge use the operating system's certificate store while Mozilla Firefox uses its own store. On Linux, both Google Chrome and Mozilla Firefox use their own certificate store (see next item). On Mac, Safari uses the operating system's certificate store (Keychain Access).
Into the trusted certificates store of the browser itself.

 

Note

This step must be performed for each client machine (or browser, if applicable) that will access FlowForce Server.
When you enable SSL encryption between FlowForce Web Server and FlowForce Server, it is not sufficient to import the certificate into the browser. Your self-signed root CA certificate must be trusted by the operating system.

 

Linux

On Linux, you can import a trusted certificate into the system's certificate store as shown below.

 

Perform the following steps only if you are sure of the authenticity of the certificate you want to trust.

 

On Debian and Ubuntu, follow the steps below:

 

1.Copy the certificate file of the Web server to the following directory.

sudo cp /home/downloads/server_cert.crt /usr/local/share/ca-certificates/

2.Update the certificate store as follows:

sudo update-ca-certificates

 

On CentOS, follow the steps below:

 

1.Install the ca-certificates package:

yum install ca-certificates

2.Enable the dynamic certificate authority configuration feature:

update-ca-trust enable

3.Copy the server certificate to the following directory:

cp server_cert.crt /etc/pki/ca-trust/source/anchors/

4.Use the command:

update-ca-trust extract

For cases where you need to access the server only through the browser, it is sufficient to import the certificate into the browser certificate store. The exact instructions will vary for each browser. For example, in Firefox 59.0.2, you can do this as follows:

 

1.Under Options | Privacy & Security, click View Certificates.
2.On Authorities tab, click Import and browse for the root certificate file created previously.
3.When prompted, select Trust this CA to identify websites.

inc-rootca_linux

 

Mac

On macOS, you can import a trusted certificate into Keychain Access as follows.

 

1.Run Keychain Access.
2.Click System, and then click Certificates.
3.On the File menu, click Import Items.
4.Browse for the trusted certificate, and click Open.
5.Enter the Keychain Access password when prompted, and then click Modify Keychain.
6.Double-click the certificate, expand the Trust section, and select Always Trust.

inc-rootca-mac

 

Windows

On Windows, you can import a trusted certificate into the system certificates store as follows:

 

1.Open the Windows certificate store for the computer account, see Accessing Windows Certificate Store .

 

Perform the following steps only if you are sure of the authenticity of the Web server certificate.

 

2.Under "Trusted Root Certification Authorities", right-click Certificates, and select All Tasks | Import, and follow the certificate import wizard.

inc-rootca-win

For more information, see https://technet.microsoft.com/en-us/library/cc754489(v=ws.11).aspx.


© 2019 Altova GmbH