Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Install CA Certificate as Trusted Root CA

This topic explains how to install a Root-CA certificate to the relevant trust stores of the most common operating systems, browsers, and mobile devices to ensure all certificates issued by this Root-CA are considered trusted. 

Firefox

Firefox does not use the operating system's trust store, but implements its own trust store for certificates. Follow these steps on any operating system to install the certificate into the Trusted CA list of Firefox:

  1. Open Firefox.
  2. Open the Menu and select Options.
    clipboard_e92e872158f67d3adf7659ee64484848f.png
  3. Click Privacy & Security. Scroll down and click View Certificates.
    clipboard_e640e2f482700d6ddf2fffaf8203adf4f.png
  4. This opens the Firefox Certificate Manager. Click the Authorities tab and then click Import...
    clipboard_efbe88e48a565dc944ef9d006551125e9.png
  5. Select the certificate file from the file system and click Open.
    clipboard_e91216cd86e086f93eb65dd54381e9fc1.png
  6. Select Trust this CA to identify websites and click OK. (You can select the other two trust options too, but it is not mandatory.)
    clipboard_ef5454a510dd703ea2d005a67e8bbcb1b.png
  7. To verify the successful import, find the certificate GlobalSign Non-Public Root CA - R2 in the list. Then click OK and close Firefox Options.
    clipboard_e5c8b72a184166c4869eb1e1f47a61bcf.png
  8. Close and re-open the Firefox browser.

Windows (IE, Edge, Chrome, and Safari)

This procedure only installs the CA cert in the Windows certificate store where it will be used by the operating system, Internet Explorer, Edge, and Chrome. 

On Windows you have two options:

  1. Install the certificate into the current user's trust store. 
  2. Install the certificate in the computer's trust store.

If you install the certificate into the computer's trust store, it will be considered as trusted Root CA for every user logging into this computer and every service running on the computer. This is probably the best way to ensure that every process and user on this computer considers this Root CA as trusted, but you can only do this with administrative permissions.

Windows 8 and Windows 10 allow you to import a certificate into the user's or the computer's store when you are logged in as administrator. When you have the choice, it is recommended to install a new, Trusted Root CA Certificate into the local computer's store so it's valid for all users.

Install in Windows 8, 10, or Later

  1. Download the certificate to the Desktop or another folder.
    clipboard_eb772c91323fec864fc27175a222bd00f.png
  2. Rename the file to end in .crt, and double-click the file.
    clipboard_ef386377963549891574a1706737bf970.png
  3. The Certificate Detail window is displayed, and the details state that the certificate is not trusted yet. Click Install Certificate.
    clipboard_e91fc1731f20cc96c6408808c0ea3a0f9.png
  4. Select if you want to install into Current User or Local Machine store.
    clipboard_ebf6a95933bbfcc0094616162d71384c5.png
  5. In the Certificate Import Wizard, click Next.
    clipboard_e4f46584e3cfd03b6771e692fa997d8ab.png
  6. Select Place all certificates in the following store, and click Browse.
    clipboard_e7292392558fd4996715f3599d1f7aac2.png
  7. Select Trusted Root Certificate Authorities and click OK.
    clipboard_eb75641b2dd6b30b0bdf49d39c7486fe5.png
  8. Select Finish.
    clipboard_e00b4bcb3b722ff41cd740b3d8d29c808.png
  9. To review and confirm the security warning, clicking Yes.
    clipboard_e3850c8217eb1911ff90a2edf8b793f57.png
  10. To confirm the successful import, click OK.
    clipboard_e3f9a0ec6d584a4f25d22e57ed0903796.png
  11. Close all running browsers or restart the system.

Install in Local Machine Store Earlier than Windows 8

  1. Download the certificate to the Desktop or another folder.
    clipboard_edfe0dbb72c1bb01e0a433268c6ef7ac8.png
  2. Rename the file to end .crt and double click the file.
    clipboard_e487e5e4d86f4d6cc866e17111e6accfe.png
  3. Open the Start Menu and enter mmc.exe then start the Microsoft Management Console.
    clipboard_e8c044c984bc0ce715ae8ecde951c7bed.png
  4. Click File then Add/Remove Snap-in...
    clipboard_e69e0956fa59394c17c00983bc0918dc5.png
  5. Under Available snap-ins, select Certificates, then click Add.
    clipboard_ec5bff5e28c4f5b829919e7da8d66adc2.png
  6. Select Computer account and click Next.
    clipboard_e5a619725b1ce4eaed306fdcfa6063c75.png
  7. Select Local Computer, and click Finish.
    clipboard_e8f080690cf37ecb5e348d6bb9a23c532.png
  8. Confirm that the Snap-in was added and click OK.
    clipboard_e0a54ac4a75bbb79ed41b08f84568e21a.png
  9. Navigate to Console Root - Certificates (Local Computer) - Trusted Root Certification Authorities - Certificates.
    clipboard_e548c6ba8577dbffd4f23590045c96708.png
  10. Click Action - All Tasks - Import.
    clipboard_e7fe72f3a5613d2e4cd88bde516237ee0.png
  11. Browse to and select the file of the Root CA Certificate and click Next.
    clipboard_e900fa5db9f6ae735efa57b28ce03bfb7.png
  12. Confirm the certificate import settings and click Finish.
    clipboard_e7f2b8eeb163abb84d2e8572828fd704a.png
  13. To confirm the successful import, click OK.
    clipboard_ed06c584f8fb30e9e3b5b27dbf5aca5fd.png
  14. Confirm that the certificate was imported in the list of certificates.
    clipboard_ea59c2dad6a8c95c0b2c1d1db0d90af7e.png
  15. Close the Management Console.
  16. Close all running browsers or restart the system.

Mac OSX

Safari or Chrome

This procedure installs the CA certificate in the Mac OS keychain where it is used by the operating system, Safari, and Chrome. 

  1. Download the certificate to the Desktop or another folder on the computer.
  2. Rename the file to end in .crt and double-click the file.
    clipboard_e4f71cd295439c8a4e96d49fcfff30096.png
  3. The Mac Keychain opens and displays the Add Certificates window.
    clipboard_e4222cd78c5a2646c7a5c3b12c08a53e0.png
  4. Select Keychain: System, then click Add.
    clipboard_e66a426faccc1624843070a99d13d569d.png
  5. Enter the administrator's user name and password and click Modify Keychain.
    clipboard_ecd51b64592ec9a3da8559422a77e9aad.png
  6. After the import, select the System keychain on the left, then double-click the new certificate.
    clipboard_e1d82295ad277797bda47f3a8b966963a.png
  7. In the Certificate Detail screen, open the Trust section.
    clipboard_e18adbb94be0ed2615d651db781af9835.png
  8. Change the setting When using this certificate to Always Trust, then click the red dot to close the window.
    clipboard_e44693970ad9cf4987aa81c75ebf26281.png
  9. Confirm the change by entering the administrator's user name and password and click Update Settings.
    clipboard_ec1d3c6f57e7906a578130c5e3eae0a56.png
  10. Check that the certificate is now shown as This certificate is marked as trusted for all users, then close the Keychain Access screen.
    clipboard_ef1db79cea50898612904e2271b073bf9.png
  11. Close all running browsers and restart the system.

iOS, iPhone, or iPad

  1. Download the certificate to the desktop or another folder.
    clipboard_eb147d3da454e4260ef91f1fd364e4932.png
  2. Rename the file to end in .crt and double-click the file.
    clipboard_e06e5ffc892908213acf7c0320fdfcbb8.png
  3. Send the file attached to an email to an email account that can be checked on the mobile device.
    clipboard_ec94f0ee0b15a6c8ec29cb8fb8f5dc936.png
  4. Switch to the mobile device and check emails.
  5. Open the email and find the attachment, then tap it.
    clipboard_e2b58fabeab645cc248878c9e57d386d0.png
  6. From the Install Profile screen tap Install.
    clipboard_ed64de90f5a502bfef5f9dcf076766a69.png
  7. Enter the Pin or passcode for the device.
    clipboard_e3196322f35c21190d3e89607c863f978.png
  8. Confirm the warning message then tap Install again.
    clipboard_e80cf2c9f1dd6265d53c763322e20df8e.png
  9. Confirm and tap Install again.
    clipboard_e37673993973f395b15ff34cf41a000bb.png
  10. Wait up to one minute, and check that the certificate is now shown as Verified. Then tap Done.
    clipboard_e6b71e154066dc535bfba8cc9f0ff84cb.png
  11. For iOS 10.3 and later, you need to explicitly enable trust for this newly installed certificate. Open the Settings app on the iOS device.
  12. Go to the General section.
    clipboard_ecf7636e410d1c0f916415388cb2f9e10.png
  13. Tap About.
    clipboard_e6d568869401de58ae5e1b54975a19d31.png
  14. Scroll to the bottom of the screen and select Certificate Trust Settings.
    clipboard_e3dcdcbff0cc7c6971b0016c5786d0dd6.png
  15. Flip the switch for the newly installed Root CA Certificate to enable full trust, (for GlobalSign Non-Public Root CA - R2), then select Continue.
    clipboard_e4052468c426b32437c1617669016e9e9.png
  16. Verify that the relevant Root CA Certificate is now shown as enabled for full trust.
    clipboard_eae3113ec895a22d97cc511c49b728606.png

Android

  1. Download the certificate to the desktop or another folder.
    clipboard_e5836b89903acb7cb301cbe8cdefaaba5.png
  2. Rename the file to end in .crt and double-click the file.
    clipboard_ed56c0e1811c827e39ea1fe7991b3dc3d.png
  3. Send the file attached to an email to an email account that can be checked on the mobile device.
  4. Switch to the mobile device and check emails.
  5. Open the email and tap the attachment.
    clipboard_e3d382d8f45d8d7a8fb8bc54c5b374a42.png
  6. Enter and confirm the device Pin or password.
    clipboard_eada74b36dd8713e26bd25e6d62e81e20.png
  7. Enter a certificate name and select Credential Use: VPN and apps, then tap OK.
    clipboard_efa6db302c2274acdbde688a285f6214d.png
  8. The confirmation that the certificate was installed is shown on the lower end of the screen.
    clipboard_ecb9a6b4e31f9b0b5a33ac1b677a722ca.png
  • Was this article helpful?