Mozilla operates multiple internal root CAs for issuing signed SSL certificates for a number of testing, pre-production and stage sites.

Legitimate public sites, including Mozilla sites, should never require you to trust these root CAs.

These root CAs are for internal use only. They are not trusted by Firefox, NSS, or any other Mozilla product. They will never be included in any trusted certificates store.

If you are helping us test one of these sites that uses a certificate signed by Mozilla, you might get a security warning.

This document tells you how you can tell your browser to trust the Mozilla CAs so that you don't get these warnings.

Mozilla Root Certificate

The Mozilla Root Certificate and md5 checksum can be downloaded from:

• Certificate: https://www.mozilla.org/certs/mozilla-root.crt
• MD5 Checksum: 61eea9835bd07e11d324a1ee44cef630
• SHA1/MD5 Fingerprints:

SHA1 Fingerprint: D7:C5:58:47:E4:D3:54:88:73:85:20:14:AE:4D:29:C4:AC:19:47:84
MD5 Fingerprint: 02:A3:29:30:03:D4:C1:A0:33:A0:44:AB:B0:D1:77:CF

Installation

Mozilla Firefox

Firefox uses its own Certificate Manager. The following procedure tells you how to import the Mozilla Root Certificate into your Firefox web browser.

1. Go to the Mozilla Root Certificate website: https://www.mozilla.com/certs/mozilla-root.crt
2. You'll get:

You have been asked to trust a new Certificate Authority (CA).

Do you want to trust "Mozilla Root CA" for the following purposes?

[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.

Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).

[VIEW] Examine CA certificate

You should click on VIEW to check the certificate. Most important is that you check the fingerprints of the certificate. They should match the fingerprints above.

1. Close the Certificate Viewer and check at least the first box ('Trust this CA to identify web sites.').
2. Press OK and that's it.

If you want to check, modify, or delete the Mozilla Root Certificate you can access it at any time via:

1. Open Edit -> Preferences -> Advanced or Open Tools -> Options -> Advanced
2. Certificates -> Manage Certificates
3. Authorities
4. The Mozilla certificate is called Mozilla Root CA (Scroll down to 'R'!)
5. Here you can View, Edit and Delete it.

Apple Safari

To add the Mozilla Root Certificate to Apple Safari, we need to use the Keychain Access application which is shipped with Mac OS X.

To install the certificate system-wide, you need to follow these steps:

1. Go to the Mozilla Root Certificate website: https://www.mozilla.com/certs/mozilla-root.crt
2. Double-click on the mozilla-root.crt file. The Keychain Access application will be launched.
3. To check the certificate, click on the 'View Certificates' button on the left side of the dialog. A dialog with information about the certificate will pop up. Make sure the SHA1/MD5 fingerprints match.

1. Select 'X509Anchors' from the 'Keychain' dropdownlist and press 'OK'.
2. You will be asked to authenticate yourself. After that, the certificate will be installed system-wide.

Opera Web Browser

This applies to 8.02 Linux, not sure about 6.x or 7.x

1. Go to the Mozilla Root Certificate website: https://www.mozilla.com/certs/mozilla-root.crt
2. Click on 'Root Certificate (PEM Format)'
3. Choose 'View'
4. Check 'Allow connections to sites using this certificate'
5. If desired, uncheck 'Warn me before using this certificate'

There seems to be an occasional problem getting the certification to pass on Opera 8.5 in Windows. Here is the workaround:

1. Make sure cache is cleared.
2. Attempt to get cert. via Opera ID'ing.
3. Attempt to get while ID'ing as IE 6.0 (in Opera).
4. Attempt to get while ID'ing as Opera again. This time, cert. should pass through.

It seems there is something about the caching where it wants both IE and Opera set at the same time before it will let the Opera cert. go through. Odd, but it works.

Microsoft Internet Explorer

If you want to install the Mozilla Root Certificate manually into Internet Explorer do the following:

1. Go to the Mozilla Root Certificate website: https://www.mozilla.com/certs/mozilla-root.crt
2. In the File Download window, select Open.
3. You should verify certificate details in the Certificate window.
4. Click on Install Certificate to launch the Certificate Import Wizard
   1. The defaults are generally fine and you can just select Next.
   2. When prompted select Yes to install

Note: This procedure only adds the Mozilla Root Certificate to the current user.

External Documentation

All of this was taken from the following external sources:

• Rutgers University FAQ for adding a CA cert to various web browsers
• HowTo: Import the CAcert Root Certificate into Client Software

Generating CSRs

If you want to generate your own CSR for Mozilla to sign, take a look at these two sites:

• http://sial.org/howto/openssl/csr/
• http://www.geotrusteurope.com/support/csr/csr_apache.htm

Obsolete "Mozilla Root CA", deprecated October 2012

This certificate is now considered deprecated as of October 2012, and is in the process of being replaced. If you find it used "in the wild", please let us know so we can work on replacing it.

The obsolete Mozilla Root CA Certificate and md5 checksum can be downloaded from:

• Certificate: https://www.mozilla.org/certs/mozilla-root-2007.crt
• MD5 Checksum: fcd2026c3b8de102b36042c50e627cca
• SHA1/MD5 Fingerprints:

SHA1 Fingerprint: B7:E6:8B:CC:DB:1A:12:26:82:B5:A2:93:F5:D3:0F:A6:44:64:85:D6
MD5 Fingerprint: 7F:1F:90:5A:5F:1F:4E:95:F8:33:AB:10:69:51:ED:BE