Go back to Get Your Device CSR and Create a CA (steps 1 & 2) or the procedure overview

3. Add the CA Certificate to Your Operating System or Browser’s List of Trusted Authorities

Skip to Windows, Chrome, Firefox, or iOS.

  • To add the certificate to the Windows Trusted Root CA list so all browsers can use it:
    1. Open the Start menu, type in run and launch the “Run” desktop application. In the popup type in MMC, and launch the Microsoft Management Console (MMC).
    2. Click file, then Add/Remove Snap-in: one of the options is Certificates, add that for either the computer account or the individual user, depending on who has access to the machine. Choose the local computer and click OK to add the certificate snap-in.
    3. Right-click any empty area in the certificate snap-in, you may need to expand the program and scroll down to find space. Under all tasks choose import, set the explorer to show for all file types and choose the private local CA certificate (.pem or .crt NOT the .key file). This certificate must be placed in the Trusted Root Certification Authorities or it will not work. After this you can close MMC.
    4. At this point, if you use Firefox, you will need to tell it that the authorities in this system list can be trusted. Open Firefox now if you haven’t already.
      In the Firefox search bar, navigate to about:config and then search for security.enterprise_roots.enabled. Right click this property and toggle it to true.
    5. Restart your browser(s) completely. They must not have any background extensions or processes, you may need to end the task entirely to get it to acknowledge the CA.

  • To add the certificate to Chrome’s trusted CA list if you exclusively use Chrome:
    1. Select ... in the top right corner to get to your Settings. Under advanced open the menu item to manage certificates.
    2. On the trusted root certification authorities tab select import.
    3. Set the explorer to show all file types, navigate to the private local CA certificate (.pem or .crt NOT the .key file) and open the file.
    4. Make sure that it’s going into the Trusted Root Certification Authorities store.
    5. Restart your browser completely. They must not have any background extensions or processes, you may need to end the task entirely to get it to update.

  • To add the certificate to Firefox’s trusted CA list if you exclusively use Firefox:
    1. Select the hamburger icon with three horizontal lines in the top right-hand corner of the browser and open the options menu.
    2. Switch to the privacy and security tab.
    3. Scroll to the bottom and select view certificates.
    4. Under the authorites tab choose import, navigate to the private local CA certificate (.pem or .crt NOT the .key file) and open the file, make sure you allow this certificate to identify websites.
    5. Restart your browser completely. They must not have any background extensions or processes, you may need to end the task entirely to get it to update.

  • To add the certificate to the iOS trusted CA list so that you can have secure access from a Mac:
    1. Select the magnifying glass icon in the top right-hand corner to open Spotlight Search.
    2. Search for and launch “Keychain Access”.
    3. Click file, then import items to bring open a file browser.
    4. Click options and set the destination keychain to be System, and then open your local CA certificate (.pem NOT .key).
    5. Enter your password and then find your certificate in the system keychain tab.
    6. Right-click your CA certificate and select get info.
    7. In the popup window choose trust and set the option for ‘when using this certificate’ to Always Trust, close this popup and enter your iOS user password once again.
    8. At this point, if you use Firefox, you will need to tell it that the authorities in this system list can be trusted. Open Firefox now if you haven’t already.
      In the Firefox search bar, navigate to about:config and then search for security.enterprise_roots.enabled. Right click this property and toggle it to true. You may need to restart your system for these changes to take effect.

4. Upload the Server Certificate

  • Upload the server *.pem certificate to the groov EPIC so that the SSL server is up-to-date with your signed certificate.
  1. Open groov Manage, in the security menu select server SSL.
  2. Download the private key and then select upload certificate.
  3. Set the public certificate to your signed *.crt, hand back the private key you just downloaded, leave the intermediate certificate empty, and finally, press upload.

5. Refresh to Complete the Process

At this point you can refresh your page and discard any previously made network exceptions as you will now have a valid, signed certificate with no insecure connection warning in Chrome and/or Firefox.

If you want any other devices to be able to securely visit this page you do not need to make any further changes to the EPIC SSL server, just install the CA certificate on the client device and you’re good to go. When you do give out the certificate file be sure not to give out the key as well, anyone who gets ahold of the key file can create and sign certificates that will be trusted by all clients that the associated CA certificate is installed on.

Signing Additional CSR Files for More Devices

Once you have created the CA certificate and key, and put the files somewhere safe, you can repeat the signing and server SSL certificate update procedure without having to make and update a new trusted root CA. As long as the same key that signed your CA certificate is signing your device CSR’s you can have as many devices signed by the private CA as you want, and you can add new clients to all of those devices by simply adding the the CA certificate to the device’s trusted root store, then that client can freely visit all servers that have a certificate signed by your CA key. Keep in mind that if your key gets out then the Certificate Authority will not be trustworthy any more, and you would need a new CA and use that to re-sign all your server CSR’s as well as uploading new client CA certificates. It is crucial that you keep your Certificate Authority key secret and safe.

Top

Go back to Get Your Device CSR and Create a CA (steps 1 & 2) or the procedure overview

Or go to EPIC Developer Overview Home