Install CA Certificate as Trusted Root CA
This topic explains how to install a Root-CA certificate to the relevant trust stores of the most common operating systems, browsers, and mobile devices to ensure all certificates issued by this Root-CA are considered trusted.
Firefox
Firefox does not use the operating system's trust store, but implements its own trust store for certificates. Follow these steps on any operating system to install the certificate into the Trusted CA list of Firefox:
- Open Firefox.
- Open the Menu and select Options.
- Click Privacy & Security. Scroll down and click View Certificates.
- This opens the Firefox Certificate Manager. Click the Authorities tab and then click Import...
- Select the certificate file from the file system and click Open.
- Select Trust this CA to identify websites and click OK. (You can select the other two trust options too, but it is not mandatory.)
- To verify the successful import, find the certificate GlobalSign Non-Public Root CA - R2 in the list. Then click OK and close Firefox Options.
- Close and re-open the Firefox browser.
Windows (IE, Edge, Chrome, and Safari)
This procedure only installs the CA cert in the Windows certificate store where it will be used by the operating system, Internet Explorer, Edge, and Chrome.
On Windows you have two options:
- Install the certificate into the current user's trust store.
- Install the certificate in the computer's trust store.
If you install the certificate into the computer's trust store, it will be considered as trusted Root CA for every user logging into this computer and every service running on the computer. This is probably the best way to ensure that every process and user on this computer considers this Root CA as trusted, but you can only do this with administrative permissions.
Windows 8 and Windows 10 allow you to import a certificate into the user's or the computer's store when you are logged in as administrator. When you have the choice, it is recommended to install a new, Trusted Root CA Certificate into the local computer's store so it's valid for all users.
Install in Windows 8, 10, or Later
- Download the certificate to the Desktop or another folder.
- Rename the file to end in .crt, and double-click the file.
- The Certificate Detail window is displayed, and the details state that the certificate is not trusted yet. Click Install Certificate.
- Select if you want to install into Current User or Local Machine store.
- In the Certificate Import Wizard, click Next.
- Select Place all certificates in the following store, and click Browse.
- Select Trusted Root Certificate Authorities and click OK.
- Select Finish.
- To review and confirm the security warning, clicking Yes.
- To confirm the successful import, click OK.
- Close all running browsers or restart the system.
Install in Local Machine Store Earlier than Windows 8
- Download the certificate to the Desktop or another folder.
- Rename the file to end .crt and double click the file.
- Open the Start Menu and enter mmc.exe then start the Microsoft Management Console.
- Click File then Add/Remove Snap-in...
- Under Available snap-ins, select Certificates, then click Add.
- Select Computer account and click Next.
- Select Local Computer, and click Finish.
- Confirm that the Snap-in was added and click OK.
- Navigate to Console Root - Certificates (Local Computer) - Trusted Root Certification Authorities - Certificates.
- Click Action - All Tasks - Import.
- Browse to and select the file of the Root CA Certificate and click Next.
- Confirm the certificate import settings and click Finish.
- To confirm the successful import, click OK.
- Confirm that the certificate was imported in the list of certificates.
- Close the Management Console.
- Close all running browsers or restart the system.
Mac OSX
Safari or Chrome
This procedure installs the CA certificate in the Mac OS keychain where it is used by the operating system, Safari, and Chrome.
- Download the certificate to the Desktop or another folder on the computer.
- Rename the file to end in .crt and double-click the file.
- The Mac Keychain opens and displays the Add Certificates window.
- Select Keychain: System, then click Add.
- Enter the administrator's user name and password and click Modify Keychain.
- After the import, select the System keychain on the left, then double-click the new certificate.
- In the Certificate Detail screen, open the Trust section.
- Change the setting When using this certificate to Always Trust, then click the red dot to close the window.
- Confirm the change by entering the administrator's user name and password and click Update Settings.
- Check that the certificate is now shown as This certificate is marked as trusted for all users, then close the Keychain Access screen.
- Close all running browsers and restart the system.
iOS, iPhone, or iPad
- Download the certificate to the desktop or another folder.
- Rename the file to end in .crt and double-click the file.
- Send the file attached to an email to an email account that can be checked on the mobile device.
- Switch to the mobile device and check emails.
- Open the email and find the attachment, then tap it.
- From the Install Profile screen tap Install.
- Enter the Pin or passcode for the device.
- Confirm the warning message then tap Install again.
- Confirm and tap Install again.
- Wait up to one minute, and check that the certificate is now shown as Verified. Then tap Done.
- For iOS 10.3 and later, you need to explicitly enable trust for this newly installed certificate. Open the Settings app on the iOS device.
- Go to the General section.
- Tap About.
- Scroll to the bottom of the screen and select Certificate Trust Settings.
- Flip the switch for the newly installed Root CA Certificate to enable full trust, (for GlobalSign Non-Public Root CA - R2), then select Continue.
- Verify that the relevant Root CA Certificate is now shown as enabled for full trust.
Android
- Download the certificate to the desktop or another folder.
- Rename the file to end in .crt and double-click the file.
- Send the file attached to an email to an email account that can be checked on the mobile device.
- Switch to the mobile device and check emails.
- Open the email and tap the attachment.
- Enter and confirm the device Pin or password.
- Enter a certificate name and select Credential Use: VPN and apps, then tap OK.
- The confirmation that the certificate was installed is shown on the lower end of the screen.