When selecting an SSL/TLS certificate for a website, we’re usually faced with some decisions regarding which certificate to choose. One decision is, which certificate Certificate Authority (CA) to use.
Some of the factors that go into choosing a CA include trust, customer service, brand recognition, and cost.
Perhaps the most important factor of these is trust. We need to choose a CA that browsers trust. If we don’t do that, then our website users will likely be scared away from our site due to browser warnings that scream “This website is not secure!”.
This article demonstrates how to check whether or not a CA is in the trusted CA list.
What Are Certificate Authorities (CAs)?
Certificate Authorities (CAs) are organizations that issue digital certificates. These certificates validate the ownership of a public key by the domain it’s used with, confirming that a website or service is legitimate. SSL/TLS certificates help establish secure HTTPS connections, protecting data transmitted between a user’s device and a web server from being intercepted or tampered with.
Trusted CAs are recognized as secure and reliable because they adhere to strict security policies and regularly undergo audits to maintain their status. Browsers, operating systems, and applications trust these CAs by default, allowing them to establish secure connections to verified websites.
Why Are Trusted CAs Important?
When you visit a website, your browser checks whether the certificate was issued by a CA it trusts. If the CA is on the trusted list, the browser will create an encrypted connection with the site. However, if the certificate was issued by an untrusted CA (or is self-signed), the browser will display a security warning. Without this list of trusted CAs, users would be unable to tell whether a website’s certificate is legitimate, making it difficult to trust online interactions and data transfers.
Where Is the Trusted CA List Stored?
Trusted CA lists are stored locally on operating systems and applications. These lists are regularly updated by the OS or browser provider and contain the root certificates of the CAs that the platform recognizes as secure. Each platform manages its CA list differently:
- Operating Systems: Windows, macOS, and Linux each maintain their own CA stores.
- Browsers: Browsers like Chrome, Firefox, Safari, and Edge maintain their own CA lists or refer to the OS’s CA store, depending on the browser and platform.
How to View the List of Trusted CAs on Different Platforms
Depending on the operating system or browser you’re using, there are specific methods to view the list of trusted CAs. Below, we cover the steps for the most commonly used platforms.
Viewing Trusted CAs on Windows
Here are two options for checking the trusted CAs listed on Windows machines.
Option 1: Certmgr.msc (Certificate Manager)
This tool provides a straightforward way to view and manage certificates specifically for the current user. You can access the Trusted Root Certification Authorities
and other certificate stores without needing to configure anything additional. It provides quick access to view certificates and perform basic management for the current user.
- Open the Certificate Manager:
- Press
Windows Key + R
to open the Run dialog box. - Type
certmgr.msc
and press Enter.
- Press
- Navigate to Trusted Root Certification Authorities:
- In the Certificate Manager, expand the “Trusted Root Certification Authorities” folder in the left pane.
- Click on the “Certificates” subfolder to view a list of all trusted root certificates on your Windows machine.
- Explore Certificate Details:
- Double-click on any certificate to view its details, including the CA’s name, validity period, and other identifying information.
Option 2: MMC
MMC allows you to add the “Certificates” snap-in, where you can specify whether to manage certificates for the current user, a specific service, or the computer (system-wide certificates).
To use the MMC approach:
- Press
Windows Key + R
, typemmc
, and press Enter. - In MMC, go to
File
>Add/Remove Snap-in
, selectCertificates
, and choose the certificate store you want to manage (e.g., Computer account or My user account).
This approach can be useful in scenarios where you need to manage certificates across different contexts or manage certificates on behalf of multiple users or services. Therefore it’s ideal for system administrators or users managing certificates for the entire system, other user accounts, or specific Windows services.
Viewing Trusted CAs on macOS
- Open the Keychain Access App:
- Go to
Applications
>Utilities
>Keychain Access
.
- Go to
- Select the System Roots Keychain:
- In Keychain Access, select “System Roots” from the left-hand menu. This section contains trusted CA certificates for macOS.
- View Certificate Details:
- Browse the list, and double-click on any certificate to see details such as the issuer, validity period, and certificate permissions.
Viewing Trusted CAs on Linux
Linux systems often use specific CA certificate bundles based on the distribution (e.g., Debian, Ubuntu, Fedora). Here’s a general way to access trusted CAs on Linux:
- Check the CA Certificate Directory:
- The trusted CA certificates are usually stored in
/etc/ssl/certs/
or/usr/share/ca-certificates/
.
- The trusted CA certificates are usually stored in
- View the CA Bundle:
- You can open and review the certificates in these directories by opening the files directly in a text editor or by using a command like:bashCopy code
cat /etc/ssl/certs/ca-certificates.crt
- You can open and review the certificates in these directories by opening the files directly in a text editor or by using a command like:bashCopy code
- Verify CA Certificates Individually:
- Trusted CAs may be listed individually or compiled into a single file, depending on the Linux distribution.
Viewing Trusted CAs in Web Browsers
Browsers allow you to view the trusted CA list, but the steps can differ slightly among popular browsers:
Google Chrome
- Open Settings:
- Go to Chrome settings by clicking on the three-dot menu in the top-right corner, then selecting “Settings.”
- Access Security Settings:
- In the settings search bar, type “security” and click on “Security” settings under “Privacy and Security.”
- View Trusted CAs:
- Scroll to the “Manage certificates” section. This will open the operating system’s certificate manager where you can view trusted CAs.
Mozilla Firefox
- Open Firefox Options:
- Click on the three-line menu in the top-right corner and select “Settings.”
- Go to Privacy & Security:
- In the settings menu, go to the “Privacy & Security” section, then scroll down to the “Certificates” section.
- View Certificates:
- Click on “View Certificates” to open the certificate manager where you can see the list of trusted root CAs.
Safari (MacOS)
- Access Keychain Access:
- Safari relies on macOS’s Keychain Access for managing trusted CAs. Open
Keychain Access
by going toApplications
>Utilities
.
- Safari relies on macOS’s Keychain Access for managing trusted CAs. Open
- View System Roots:
- Select “System Roots” and browse the list of trusted CA certificates.
Updating and Managing Trusted CAs
Trusted CA lists are generally updated automatically by operating systems and browsers. However, in some cases, you may need to update, remove, or add certificates manually:
- Adding a CA Certificate: Many platforms allow you to add a trusted certificate manually if needed. For example, in Windows Certificate Manager, right-click the “Trusted Root Certification Authorities” folder and select “Import” to add a new certificate.
- Removing a CA Certificate: Similarly, you may remove a certificate if you no longer trust it. However, exercise caution, as this can prevent access to websites that rely on that CA.
- Automatic Updates: Operating system and browser updates typically include the latest trusted CA lists. To ensure your trusted CA list is up-to-date, regularly update your OS and browser.