About Root Certificates

PKI certificates are used to verify the identity of end users and network servers. Certificate Authorities sign certificates asserting that the information in the certificate has been verified and is associated with the public key in that certificate. Users of the certificates need to accept these assertions. This is accomplished by providing a list of Certificate Authority Root certificates that the application trusts. For example, web browsers contain a list of trusted root certificates provided by the software vendor. Certificates for other trusted authorities can be added to this starter list. Sometimes a chain of CA certificates is required to verify a particular end user or server certificate. Root Certicates can be obtained from the Certificate Authority, usually downloaded from a web page. Certificates are generally also published in LDAP or X.500 directories.

Applications that use PKI certificates need to have access to a key and certificate "store". Many current applications have their own key-store. Some make use of an operating system (OS) provided key-store such as provided by the Windows OS. Keys and certificates are "imported" to a key store by downloading files containing the certificates and keys, sometimes directly through a web browser. Other applications like e-mail or instant messaging clients import certificates from files saved on disk.

Checking Certificates

To ensure that you are obtaining the correct signed root certificate, a calculated hash value called a fingerprint is reported for verification. Fingerprints are generally published in the directory with the certicates and also on web pages for ease of use. A number of different hash algorithms are used by different programs. The fingerprint value is dependent on which algorithm is being used.

Dartmouth CA Root Certificate

The Dartmouth College Certificate Authority (CA) uses a self signed root certificate, which means it has not been signed by an already trusted Certificate Authority. The Dartmouth CA is being used to issue certificates to identify end users and servers at Dartmouth. Web and e-mail servers, for example, use their certificates to provide SSL connections. In order for software to verify certificates signed by the Dartmouth CA, the CA's root certificate must be installed in the software and accepted as trustworthy.

Verifying the Dartmouth Root Certificate

When installing a new root certificate, most browsers present an alert to report that this step is taking place and ask that you confirm acceptance of this new root certificate. To ensure that you are obtaining the correct Dartmouth College signed root certificate, a calculated hash value called a fingerprint is reported for verification. The fingerprint value is dependent on which algorithm is used by your browser. The proper fingerprint values for the Dartmouth College root certificate for the various hash algorithms are:

collegeca.dartmouth.edu
issued 1/3/2003 serial#02  for CN=Dartmouth CertAuth1, O=Dartmouth College, C=US, dc=dartmouth, dc=edu

MD2: 8D28 33CF B6BC F369 D0B1 3FF6 8616 6302
MD5:   441C BCE1 448D 358B 3C52 A9D6 62FD 2733
SHA1: 88CD 0250 FA66 0376 41A2 E75F EB1B 7A6E 44B8 7F74
MDC2: 55D5 673C 41B4 A4DE 2DD8 B76E 2157 0547

hash used by Internet Explorer for Macintosh:
08:A4:41:7E:7B:7C:31:25:46:5D:7A:F0:42:49:7D:D0:91:8E:43:B1:39

These values can be independently verified by retrieving the Certificate Authority's certificate from the campus LDAP directory.

Importing the Dartmouth CA Root Certificate

To load the Dartmouth College CA root certificate, follow the directions below .

Using the Mozilla or Netscape Browser on Windows or Macintosh, you will need to accept the new root certficate as follows:

1. The browser will display an alert:
   

   You have been asked to trust a new Certificate Authority (CA)
   [ ] Trust this CA to identify web sites
   [ ] Trust this CA to identify email users
   [ ] Trust this CA to identify software developers
   

2. select all 3 check boxes
3. click the View button to check the fingerprints (compare with the values below)
4. click close, then OK in the previous window.

Using Internet Explorer 6.x on Windows XP:

1. Click on the "SAVE" button.
2. Choose a location to save the file: getCACHAINf3677d0.cer
3. Click the "Open" button on the download complete dialog.
4. A certificate viewer window opens.
5. Click on the "Install Certificate..." button.
6. The Certificate Import wizard opens.
7. Accept the defaults, clicking Next and Finish.

Using Internet Explorer 5.x/6.x on Windows 98/2000 (with IE 6.x, you will then see this series of alerts):

File Download
Some files can harm your computer. If the file information below looks suspicious, or you do not fully trust the source, do not open or save this file.

File name: getCACHAINf3677d0.cer
File type: Security Certificate
From: collegeca.dartmouth.edu

This type of file could harm your computer if it contains malicious code.
Would you like to open the file or save it to your computer?

1. Click on the "OPEN" button.
2. The certificate viewer opens.
3. Click on the "Install Certificate..." button.
4. The Certificate Import wizard opens.
5. Click on the "Next>" button.
6. Select the radio button "automatic selection of the certificate store".

Clicking the "next" button displays the "Completing the Certificate Import Wizard" window, click "finish". The wizard then asks "do you want to ADD the following certificate to the Root Store?" It displays two methods of computing a thumbprint, at least one of which should be checked against the values below.

Continue by clicking OK, the wizard responds with a "The import was successful" alert, click OK again. The new certificate will be listed in the certificate store under the tab "Trusted Root Certification Authorities" named "Dartmouth CertAuth1".

Using Internet Explorer 5.2.x on the Macintosh, you will see an alert:

"You have been sent a Certificate Authority.  Because of the critical role these have in security,
it is strongly recommended that you read this text before proceeding."

Click the "view certificate authority" button. The next window displays:

The Certificate Authority you received has the following values you can use in validating it:

Issuer: Dartmouth CertAuth1 Dartmouth College US
dartmouth.edu
Expiration: Wed Jan 9, 2013
Fingerprint: 08:A4:41:7E:7B:7C:31:25:46:5D:7A:F0:42:49:7D:D0:91:8E:43:B1:39

[ ] I have verified that the Certificate is not a forgery
[ ] I trust the Issuer to verify Internet security

Check both boxes and click the "Accept" button. (if you click "decline", an alert is displayed: "The attempt to load 'accessing URL https://collegeca.dartmouth.edu/getCAChain' failed.")

Next you'll see a series of alerts:

"Please define a certificate password. You will be prompted for it when establishing secure connections, 
adding certificates, and changing certificate preferences."

(provide a password), click OK

Confirm the certificate password by entering it again, click OK

"Adding a certificate. Please enter your certificate password."

provide the password and click OK

"The Certificate Authority has been added successfully."

click OK

(Note: once a password is defined, it is requested when you open the first https connection. Though not recommended, it is possible to set the password to null.)