How to trust a self-signed SSL browser certificate

When browsing to an https: web site (i.e. a site using SSL over HTTP), the web server provides a signed SSL certificate. If the certificate is signed by a commercial CA (Certificate Authority) whose root certificate is pre-installed in Microsoft Windows or Apple OS X, the browser accepts the SSL certificate as valid. Commercial CAs currently charge CAN$150 to CAN$250 per year for signing a certificate, depending on the CA and the number of years the certificate will be valid for.

However, certificates can also be self-signed at no expense using the OpenSSL program.


 * 1) create server key
 * 2) create Certificate Authority (CA) key
 * 3) sign server key using CA key

However, client browsers will not trust the certificate if they do not trust the signing CA. In this case, users browsing a site that uses a self-signed certificate will be warned with wording ranging from "Be careful, are you sure?" to essentially "Danger! This site may steal all your data and destroy your computer!".

For a client browser to trust a self-signed certificate, the root certificate of the CA signing the key must be imported into the browser's "Trusted Root Certification Authorities" certificates store. This must be done on each computer that will access the site (and possibly for each browser on the computer). The procedure is not overly complex, although it also warns of potential security issues. However, once the root certificate is imported the use will not receive further warnings.

Whether using a self-signed certificate will be a minor annoyance or a business show-stopper will depend on your user and their security model. Here are procedures for installing a root CA certificate with popular web browsers.

Internet Explorer 8/9 on Windows 7 or Windows XP

 * Copy the CA certificate (e.g., server.dom-CAcert.cer) to a location accessible by the Windows computer.
 * For example, for dalescott.net CA root certificate:
 * Browse to the "About" page on http://www.dalescott.net, and click the CA root certificate link to download the zip archive containing the dalescott.net CA root certificate
 * Save the zip archive your desktop
 * Double-click the zip archive to open it
 * Drag the certificate file to your desktop
 * Open IE, access the Tools/Internet Options menu, and select the Content tab
 * In the Certificates section, click the Certificates button
 * Click the Import button to start the Certificate Import Wizard
 * Browse to and select the self-signed certificate
 * Store the certificate in the "Trusted Root Certification Authorities" certificates store
 * Close and reopen IE to recognise the certificate.

Browsing to an https site that uses an SSL certificate signed by the imported CA certificate will now be accepted as secure.

FireFox 5/6

 * Copy the CA certificate (e.g., server.dom-CAcert.cer) to a location accessible by the computer.
 * For example, for dalescott.net CA root certificate:
 * Browse to the "About" page on http://www.dalescott.net, and click the CA root certificate link to download the zip archive containing the dalescott.net CA root certificate
 * Save the zip archive your desktop
 * Double-click the zip archive to open it
 * Drag the certificate file to your desktop (e.g., dalescott.net-CAcert.cer)


 * Open FireFox, access the Tools/Options menu in FireFox 6 (Edit/Preferences menu in FireFox 5), and select the Advanced category


 * Selected Encryption tab


 * Click View Certificates to open Certificate Manager


 * Select Authorities tab


 * Click Import and browse to the certificate file, click OK


 * Select "Trust this CA to identify web sites"

Browsing to a secure site should now be accepted without warnings (it is not necessary to close and re-open FireFox).