MSIE - Installing a CA Certificate

Revised: 30th August 2002

Source: http://wasd.vsm.com.au/ht_root/other/faq/MSIE_CA_cert/

This document describes how to install an OpenSSL self-signed Certificate Authority (CA) certificate into Microsoft Internet Explorer (MSIE) so that it will accept similarly self-signed Server certificates without requiring a confirmation dialog at the commencement of each session.

The information in this description is provided within a WASD context but provides general principles that should be able to be applied to any MSIE / OpenSSL environment. It has been developed and the graphics generated using MSIE 6.n but should also apply to v5.n.

It is important that the Certificate Authority (CA) in the Server certificate (the issuer) be the same as in the CA certificate that is about to be installed into MSIE. There are good reasons why this might not be the case.

Each release of the WASD OpenSSL package has a uniquely generated CA certificate included. This is done to test the release as well as to identify from which release any particular WASD CA certificate was generated.
Any given site may have placed the supplied example HTTPD.PEM Server certificate in a site-specific location (e.g. HT_ROOT:[LOCAL]) and continued to use that particular file even though the OpenSSL component may have been subsequently updated (perhaps multiple times).
Hence the Server certificate in use may be out-of-step with any CA certificate about to be used in the procedure described below. Ensure the Server certificate CA component and the CA certificate itself represent the same authority in every detail.

Use the following procedure (adapt for the local file system and environment) to establish that Server and CA certificates represent the "same" issuer (CA).

  $ OPENSSL == "$HT_ROOT:[SRC.OPENSSL-0_9_6E.AXP.EXE.APPS]OPENSSL.EXE"
  $!(check the CA of the Server certificate currently in use)
  $ OPENSSL x509 -issuer -noout -in HT_ROOT:[LOCAL]HTTPD.PEM
  issuer= /C=AU/ST=SA/L=Adelaide/O=WASD HTTPd CA Cert/OU=OpenSSL 0.9.6e Testing Only
  /CN=WASD VMS Hypertext Services/Email=Mark.Daniel@wasd.vsm.com.au
  $!(now check the CA of the CA certificate that is about to be loaded)
  $ OPENSSL x509 -issuer -noout -in HT_ROOT:[SRC.OPENSSL-0_9_6E.WASD.CERT]_CACERT.PEM
  issuer= /C=AU/ST=SA/L=Adelaide/O=WASD HTTPd CA Cert/OU=OpenSSL 0.9.6e Testing Only
  /CN=WASD VMS Hypertext Services/Email=Mark.Daniel@wasd.vsm.com.au

Compare the output (italicised) from the OPENSSL command on both files. They should be identical.

The intention is to provide the .CRT certificate file to MSIE. This can be directly from the WASD OpenSSL directory as shown in the graphic below or can be done from an anchor and link from an HTML page. In either case when the link is accessed the .CRT file should be downloaded to the browser.

Note that the server must be configured to supply the correct MIME content-type for these files. This is discussed in the Secure Sockets Layer (SSL) chapter of the Technical Overview. Briefly, the HTTPD$CONFIG file must contain these directives (and should by default).
```
  [AddIcon]
  /httpd/-/binary.gif  [BIN]  application/x-x509-ca-cert
  [AddType]
  .CRT  application/x-x509-ca-cert  -  DER certifcate (MSIE)
  .PEM  application/x-x509-ca-cert  -  Privacy Enhanced Mail certificate
```
```
  
```
When the .CRT file is accessed MSIE presents a file download dialog.
- The more direct action is to select the [Open] option.
  
  When the file has downloaded the dialog shown in step 4 will be displayed.
- It also possible to [Save] the certificate. Some versions of MSIE may only give the option of saving. If this is the case then select the [Save] option, specify the location and store the certificate file (to the desktop in the following example).
  
  When the file has been saved double-click on the file icon (on the desktop in the ongoing example).
  
  This will activate the certificate dialog and the process will continue from step 4. Once the certificate installation process has been completed this file may be deleted.

When the .CRT file has been downloaded or accessed MSIE should recognise it as a certificate and present that information in a certificate dialog. Select the [Install Certificate] button.
This begins the Certificate Import dialog. Select [Next] to continue.
This CA certificate needs to be installed as a Trusted Certification Authority and so a specific certificate store needs to be specified. Select the [o] Place all certificates in the following store option and then select the [Browse] button.
Select the -[]]] Trusted Root Certification Authorities folder and select [OK].
Continue by selecting the [Next] button.
Ready to commit (almost :-) by selecting the [Finish] button.
The final dialog displays the basic CA details that are about to be added to the Root Store. Select [Yes] to (finally) add this certificate.
The conclusion of this process returns to the original certificate dialog. The [OK] button can now be selected.