Table of Contents
Add root certificate to MacOS
If you have your own root certificate like I do, the follow the steps below to add it in MacOS.
Browser vs OS level installation
When accessing a server which signed using your own root certificate, if it isn't installed locally, browser will prompt the warning. Then need to select trust the certifcate in order to continue.
This action only trust that machine certificate in the browser, it only does
- Trust the machine certificate, not the root certificate
- Only trust in the browser currently used
The benefit of installing root certificate OS level are
- All applications will trust certificate
- Only one time installation required
- Trusted for all users in the system (Not Firefox Browser)
Download certificate
Provide by issuer
Go to issuer software, such as Synology NAS, download from certificate store, and extract CA certificate, such as example-ca-cert.pem.
From browser with root certificate
The root certificate can be downloaded from browser if the brower has been installed. For example, in Firefox,
- Click on lock icon besides URL => connection secure => more information, then Page Info window appears
- Click on View Certificate in Security tab, then certificate information page is displayed as a new browser tab.
- Look for chain certificate. In Firefox, it is under Miscellaneous => Download PEM (chain)
- Click on chain certificate and save it locally.
Note: The downloaded certificate file contains both server certificate and root certificate. Delete server certificate using text editor if possible. If the server certificate had been installed in keychain, it can be removed from keychain later too
Install certificate
Use following steps to install CA certificate into keychain
- Double click the certificate file (with ".pem" or ".cer" extension)
- Choose "System" from the keychain option. Then press "Add" to install after password provided
Set certificate "Always Trust"
To set system wide trust, use following steps.
- Open Keychain Access application
- Look for root certificate, double click it
- Expand Trust section
- Select "Always Trust" from list of When using this certificate.
Delete server certificate if needed
If the server certificate was also installed, suggest to delete it from keychain and browser certificate store. This is to avoid false information about successful installation.
- Open Keychain Access application
- Look for server certificate
- Right click on it, then select delete certificate
Firefox Only
In Firefox, which has its own certificate store, the system certificates are not accepted. So use following steps to enable system certificates to be used for current user.
- Open new tab, and type about:config
- Search for security.enterprise_roots.enabled
- Change it to
true
by double click the line.
Note: This only enable trust for current user
Reboot
Verify
Use browser to access another website which has the same root certificate, the certificate not trusted page should not appear.