How to import root CA in Firefox?


Firefox comes with preloaded certificates from commercial certificate authorities (CAs).

These embedded CAs are trusted third parties that certify the ownership of the public key by the server pointed by the domain name typed in the browser.

CA's certification (called signature) is important because otherwise we could not be sure that the public key presented by the named web server really belongs to that server. Without CA's signature of the server's certificate we could easily be a victim of Man-in-the-middle attack where malicious entity replaces the public key so we encrypt data with the attacker's key.

If you deploy your own HTTPS web server you have several options to handle your certificate signatures:

Most websites use the second option which is troublesome for the server administrator because it requires buying the certificate from the semi-monopolized commercial CAs who perform verification process. It takes time and money but on the other hand is most convenient for the end user -- the website visitor does not have to do anything special. Once the website presents a signed certificate, it is automatically accepted based on the CA from the browser embedded list and the connection is secured.

This article describes the third option which is the "Do It Yourself" way. It is free and arguably more secure than the second option because you don't have to trust commercial CAs. It has one major limitation however. The end user must add your own CA certificate to the browser's CAs list.

It's a big burden on the user and we imagine there are two cases it may work:

The instruction below assumes that you already have your own CA certificate. In order to generate it you can use the rfwgen script which is part of the open source rfw project developed by SecurityKISS.

Import your CA cert

Open a Firefox browser.

Choose Preferences from the Edit menu.

Click the Advanced button.

Select the Encryption pane.

Click the View Certificates button.

Click the Authorities tab.

Click the Import button at the bottom of the screen.

Select CA certificate file.

Select "Trust this CA to identify websites"

Click OK.

Your Certificate Authority should be in the list now.