Adding CAs to Browser Trust Stores

TL;DR

Browsers trust Certificate Authorities (CAs) through pre-built lists. But you can add extra CAs yourself, either for specific browsers or system-wide. This is useful for internal CAs, testing, or when a browser hasn’t yet included a CA.

How to Add Additional CAs

1. Understand Trust Stores: Browsers and operating systems use ‘trust stores’ – lists of trusted root certificates. When a website presents a certificate signed by a CA in the trust store, the browser considers it valid.
   • Each browser has its own trust store (Chrome/Edge, Firefox, Safari).
   • Operating Systems also have system-wide stores (Windows Certificate Store, macOS Keychain Access).
2. Obtain the CA Certificate: You’ll need the root certificate of the CA in a suitable format. Usually this is a .cer or .pem file.
3. Add to Chrome/Edge (and other Chromium-based browsers):
   1. Open chrome://settings/certificates in your browser address bar.
   2. Click the ‘Authorities’ tab.
   3. Click ‘Import…’.
   4. Follow the wizard, selecting the CA certificate file and ensuring you choose to trust it for identifying websites (and potentially email users).
4. Add to Firefox:
   1. Open about:preferences#privacy in your browser address bar.
   2. Scroll down to ‘Certificates’ and click ‘View Certificates…’.
   3. Select the ‘Authorities’ tab.
   4. Click ‘Import…’.
   5. Follow the wizard, selecting the CA certificate file and ensuring you check ‘Trust this CA to identify websites’.
5. Add to Safari (macOS):
   1. Open Keychain Access (Applications > Utilities).
   2. Drag and drop the CA certificate file into the ‘System’ keychain.
   3. Double-click the certificate in Keychain Access.
   4. Expand the ‘Trust’ section.
   5. Change ‘When using this certificate:’ to ‘Always Trust’. You may need to enter your administrator password.
6. Add to Windows Certificate Store:
   1. Press Win + R, type certmgr.msc and press Enter.
   2. Expand ‘Trusted Root Certification Authorities’.
   3. Right-click on ‘Certificates’ and select ‘All Tasks > Import…’.
   4. Follow the wizard, selecting the CA certificate file. Ensure you choose to place it in the ‘Trusted Root Certification Authorities’ store.
7. Add to macOS System Store (using command line): This is more advanced.

   sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain your_ca_certificate.pem

   Replace your_ca_certificate.pem with the actual filename.

8. Restart Browsers: After adding a CA, you *must* restart all affected browsers for the changes to take effect.
9. Verify Installation: Visit a website signed by your newly added CA. The browser should no longer display certificate errors. You can also view the certificate details in the browser (usually by clicking the padlock icon) to confirm it’s using the expected CA.

Important Considerations

• Security Risks: Adding untrusted CAs weakens your cyber security posture. Only add CAs you explicitly trust, such as those from internal infrastructure or well-vetted testing environments.
• Certificate Revocation Lists (CRLs) and OCSP: Ensure the CA supports CRLs or Online Certificate Status Protocol (OCSP) for certificate revocation checking. Browsers use these to verify if a certificate has been revoked, even if it’s signed by a trusted CA.
• System-Wide vs. Browser Specific: Adding to the system store affects all applications that use the OS trust store. Browser specific additions only affect that browser.