O'Reilly logo

Linux Server Hacks by Rob Flickenger

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hack #95. Distributing Your CA to Client Browsers

Installing your shiny new CA cert to client browsers is just a click away

There are two possible formats that browsers will accept for new certificate authority certs: pem and der. Early versions of Netscape expected pem format, but recent versions will accept either. Internet Explorer is just the opposite (early IE would only accept der format, but recent versions will take both). Other browsers will generally accept either format. You can generate a der from your existing pem with a single openssl command:

hagbard@fnord:~/certs$ openssl x509 -in demoCA/cacert.pem \
              -outform DER -out cacert.der

Also, add the following line to your conf/mime.types file in your Apache installation:

application/x-x509-ca-cert der pem crt

Now restart Apache for the change to take effect. You should now be able to place both the cacert.der and demoCA/cacert.pem files anywhere on your web server, and have clients install the new cert by simply clicking on either link.

You will get a dialog box in your browser when downloading the new certificate authority, asking if you'd like to continue. Accept the certificate, and that's all there is to it. Now SSL certs that are signed by your CA will be accepted without warning the user, as in Figure 8-1.

Click OK to accept the new Certificate Authority or View to read the fine print.

Figure 8-1. Click OK to accept the new Certificate Authority or View to read the fine print.

Keep in mind that ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required