root certificate : Java Glossary

go to home page R words local find full screen, hide local find menu Google search web for more information on this topic jump to foot of page translate this page with Babelfish 2008-07-30 by Roedy Green ©1996-2009 Canadian Mind Products
index page for letter ⇒ punctuation 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (all)
root certificate
You need the latest and greatest root CA (Certificate Authority) certificates from the various signing authorities installed in your cacerts file and in your browser. With them you can validate the public keys of certificates issued by that authority. The easiest way to do that is to use the latest Java JRE and also go to your browser vendor site and get the latest version of your browser, which will naturally include the latest root certificates. Happily most browsers come with extensive lists of root certificates built-in. Every new version of the browser automatically updates the list.
Why You need to Install Root Certificates Caveat
Importing Code-Signing Root Certificates Sources Of Root Certificates
How to Import Root certificates Into Various Browsers Links

Why You need to Install Root Certificates

If you don’t have the corresponding signing authority root certificate in your browser, your browser will treat SSL (Secure Sockets Layer) https web sites and Applets signed with expensive certificates with the same disdain it treats self-signed phony ones.

When a company such as Thawte or Verisign issues a digital certificate for SSL or code signing, they digitally sign it with their own master private key certificate. To verify that the certificates that they issue are valid, you need a copy of the issuing authority’s public key in your browser for SLL (or in your cacerts file for signed Applets or Java Web Start). The process of installing these public keys is called downloading root certificates or installing certificate authorities.

Importing Code-Signing Root Certificates

To install code signing authorities, download the certificate and read up on how to use keytool.exe to import it into you cacerts file. For Java’s use, you must import the root certificates into all your cacerts files with keytool.
You can always export certificates from one browser and import into another rather that trying to update directly.

With modern JREs, it is most important to get the JREs updated with the recent root certs, then secondarily the browser.

How to Import Root certificates Into Various Browsers

Often all you need do install a certificate is click the link and the root certificate will automatically install into your browser.
How To Update Root Signing Authority Certificates
Last revised: 2008-01-23
Logo Browser What To Do
Get Java Java You download the root certificate then import it into both your JRE and JDK with:
Where C:\temp\Thawte Code Signing CA.cer is the name of the root certificate you are importing. The default password for cacerts. is changeit.
Opera logo Opera Just click on the certificate reference to download and import it, or click File ⇒ Open.

Alternatively, Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates ⇒ import. To see what root certificates are installed Click tools ⇒ preferences ⇒ advanced ⇒ security ⇒ manage certificates.

Firefox logo Firefox Just click on the certificate reference to download and import it, or click File ⇒ Open.

Alternatively, click Tools ⇒ Options ⇒ Advanced ⇒ Encryption ⇒ View Certificates ⇒ import .

Sea Monkey logo Sea Monkey Just click on the certificate reference to download and import it, or click File ⇒ Open.

Alternatively, click Edit ⇒ Preferences ⇒ Privacy & Security ⇒ Certificates ⇒ Manage Certificates ⇒ import .

Internet Explorer 7 IE 7 Download each certificate, then click file ⇒ open.

To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities.

Internet Explorer 6 IE 6 Download each certificate, then click file ⇒ open.

To see which root signing authority certificates are included click tools ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities.

Safari logo Safari Click start ⇒ Control Panel ⇒ network ⇒ Internet Options ⇒ Content ⇒ Trusted Root Certificate Authorities ⇒ import .
See Mitch Gallant’s documentation on importing root certificates.

Caveat

Be very careful to get the root certificate direct from the original certificate authority, or perhaps from Microsoft or your OS/browser vendor. It could have been tampered with if you pick it up anywhere else.

Sources Of Root Certificates

Here is where you can get various root certificates. Some of the most common ones are not listed here, since they come built-in.
Installing Root Certificate
Source Notes
AdTrust Hosted on the InstantSSL website. AddTrust, InstantSSL and Comodo appear to be sister companies.
Aegis
Aloaha For the Aloha free timestamp server.
ASP Association of Shareware Professionals, the PAD people. They have a list of root certificates used for signing PAD files, including ASP itself.
CalNet University of Berkeley. Need CalNet id.
Cacert Have certs in PEM, DER and TXT form, interesting if you are curious about what is inside a cert. Also have GPG cert. Australian. Issue free certs.
Cren non-profit
Deutsche Bank
Digicert
Entrust
ETH Switzerland, Professor Wirth’s home
GeoTrust include Equifax roots.
GlobalSign
GoDaddy handle Valicert.
Harvard University I searched and searched but could not find it. They ignored my email.
IdentTrust
InstantSSL aka Comodo
Microsoft For W98/Me/NT/W2K Microsoft root certificate updates are part of the Windows Update, though they are not part of the automatic install mechanism.
Netrust
RapidSSL
Sprint for cell-phones
RSA They must be somewhere on the website, but I can’t find them. If you find them, please tell me the URL.
Starfield For the Starfield free timestamp server.
SwissSign
Thawte You can download a complete zipped collection of Thawte root certificates in three different wrapping styles. JDK 1.5 beta inadvertently left out the root Thawte code signing root certificate. You need to import it into all the cacerts. files on machines using your cert.
University of Connecticutt
University of Darthmouth
University of Maryland
Usher Handles issuing certifaces for various universities
Verisign code-signing and SSL. You can also download a bundle of Verisign, Thawte and Geotrust certificates. You can also verify the certificate fingerprints.
Verison for cell-phones
Virginia Tech
WebMoney
certificate vendors
digital certificate
Java Web Start
List of root certificates that Google Checkout supports
signed Applet
Thawte
Verisign
CMP homejump to top
CMP logo		 feedback Please email your feedback for publication, errors, omissions, broken/redirected link reports
and suggestions to improve this page to Roedy Green : feedback email
made with CSS
HTML Checked!
ICRA ratings logo
mindprod.com IP:[65.110.21.43]
Your face IP:[38.103.63.62] The information on this page is for non-military use only.
You are visitor number 11. Military use includes use by defence contractors.
You can get a fresh copy of this page from: or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
http://mindprod.com/jgloss/rootcertificate.html J:\mindprod\jgloss\rootcertificate.html