7 Configure Firefox To Trust CAcert.org (Optional)

If you use a CAcert.org certificate, your browser most likely doesn't trust this certificate and will show a warning. This chapter explains how you can import the CAcert.org root certificate into Firefox so that it won't show this warning anymore (please read http://wiki.cacert.org/BrowserClients for other browsers like MSIE, Safari or Opera).

Please note that if you run an e-commerce web site, you should better buy a certificate from a trusted CA because you can't ask all your visitors to reconfigure their browsers.

Please visit http://www.cacert.org/index.php?id=3 and click on the Root Certificate (PEM Format) link (http://www.cacert.org/certs/root.crt):

The Downloading Certificate dialogue opens. Click on View to examine the certificate:

Please make sure that the fingerprints are as follows:

SHA1 Fingerprint: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5 Fingerprint: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

Click on Close afterwards:

Next check Trust this CA to identify web sites. and click on OK:

Now go to Tools > Options...

... and then to Advanced > Encryption. Click on Revocation Lists:

The Manage CRLs window opens. Click on Import...:

Fill in the following URL and click on OK: http://crl.cacert.org/revoke.crl

After a few moments you should see the following message. Click on Yes to enable automatic updates:

Check Enable Automatic Update for this CRL and click on OK:

That's it. You should now be able to go to your SSL vhost without getting a browser warning:

8 Links

• Apache: http://httpd.apache.org/
• mod_ssl: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
• OpenSSL: http://www.openssl.org/
• CACert.org: http://www.cacert.org/
• Ubuntu: http://www.ubuntu.com/
• Debian: http://www.debian.org/