How to automatically install self signed certificate in IE Trusted Root Certification Authorities store

2
votes

I created a self signed certificate but the browser tells me "This CA Root Certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".

I did by going into IE --> Internet Options --> Content --> Certificates --> ect... I actually had to export the self signed certificate and then import it into the Trusted Root Certification. Only after the certificate was located under the ROOT store in the users machine that IE did not display any WARNINGS.

This will be deployed in a production environment, so having the users manually do the above steps is unacceptable.

How can I automatically do this? I just want them to accept and not have that "Certificate Error" and have the URL bar turned "RED" in IE.

I'm using Tomcat 5.5. I also followed the same steps as in the Tomcat SSL How To Tutorial http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Thanks in advance.

3
javatomcatsslhttpskeytool
You can get a cert that has been signed by root CA for free at startssl.comuser328898
Exact duplicate of stackoverflow.com/questions/5252800 - When you don't get an answer you like, don't just re-post the question.Jim Garrison

3 Answers

4
votes

Java 6 provides a cryptographic provider named SunMSCAPI to access the windows cryptography libraries API. This provider implements a keystore "Windows-Root" containing all Trust Anchors certificates.

It is possible to insert a certificate in this keystore.

KeyStore root = KeyStore.getInstance("Windows-ROOT");
root.load(null);
/* certificate must be DER-encoded */
FileInputStream in = new FileInputStream("C:/path/to/root/cert/root.der");
X509Certificate cacert = (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(in);
root.setCertificateEntry("CACert Root CA", cacert);

The user will be prompted if for confirmation. If the operation is canceled by the user then a KeyStoreException is thrown.

Some technotes about the provider can be found here: http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI

1
votes

Think about it. If this were possible, what would stop any fraudulent site from doing the same thing and making it look like their site was trusted? The whole point is that the user HAS to OK the certificate installation.

1
votes

First of all, possibility to do this would compromise user's security, so it would be a security hole, so no, there's no easy way to do this.

Next, different software has different certificate stores. Microsoft and Chrome browser use CryptoAPI stores, Firefox has it's own store (Chrome can also use firefox's one AFAIK). Adobe's software has it's own store (in addition to CryptoAPI one).