CA Root Certificate Guide

This guide explains how to download and install CA root certificates so that your system or browser trusts certificates issued by this CA.

What is a CA Root Certificate?

A CA (Certificate Authority) root certificate is the root node of a certificate trust chain. When you create a private CA and use it to issue server certificates, clients need to trust this CA root certificate to automatically trust all certificates it issues.

Tip

Use cases: Internal development environments, testing environments, enterprise intranet services, and other scenarios that don’t require public trust.

Download CA Root Certificate

1. Go to Console -> Self-signed Certificates -> CA Management
2. Find the CA you need to download, click the Download button
3. In the popup dialog, click Download to save the xxx-ca.crt file

Install CA Root Certificate

macOS

Method 1: Keychain Access (Recommended)

1. Double-click the downloaded .crt file
2. In the “Keychain Access” popup, choose to add to the System keychain
3. Find the newly added certificate and double-click to open it
4. Expand the Trust section
5. Change “When using this certificate” to Always Trust
6. Close the window and enter your password to confirm

Method 2: Command Line

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/Downloads/xxx-ca.crt

Windows

Method 1: GUI

1. Double-click the downloaded .crt file
2. Click Install Certificate
3. Select Local Machine, click Next
4. Select Place all certificates in the following store
5. Click Browse, select Trusted Root Certification Authorities
6. Complete the installation

Method 2: Command Line (Administrator)

certutil -addstore -f "ROOT" C:\path\to\xxx-ca.crt

Linux

Ubuntu/Debian

# Copy certificate to trust directory
sudo cp xxx-ca.crt /usr/local/share/ca-certificates/

# Update certificate trust store
sudo update-ca-certificates

CentOS/RHEL/Fedora

# Copy certificate
sudo cp xxx-ca.crt /etc/pki/ca-trust/source/anchors/

# Update trust store
sudo update-ca-trust

Browsers

Chrome

Chrome uses the system certificate store, so it will work automatically after installing to the system.

Firefox

Firefox uses its own certificate store and requires separate import:

1. Open Settings -> Privacy & Security
2. Scroll to Certificates section, click View Certificates
3. Select the Authorities tab
4. Click Import, select the .crt file
5. Check Trust this CA to identify websites
6. Click OK

Verify Installation

After installation, you can verify with the following:

# Test with curl (assuming the server certificate was issued by this CA)
curl https://your-server.local

# If there's no error, the CA is trusted

Important Notes

Caution

• Keep the CA private key secure; if leaked, it could be used to issue malicious certificates
• Only install CA root certificates on trusted devices
• Regularly check CA certificate expiration and renew before expiry

FAQ

Browser still shows “Not Secure” after installation?

1. Verify the certificate is correctly installed in the system trust store
2. Restart the browser
3. Check if the server certificate’s domain matches the access address
4. Firefox users need to import separately into the browser

How to remove an installed CA?

• macOS: Open Keychain Access, find the certificate and delete it
• Windows: Run certmgr.msc, delete from “Trusted Root Certification Authorities”
• Linux: Delete the corresponding .crt file, then run update-ca-certificates or update-ca-trust