we-be-smart Certificate Authority


Google Chrome Users:

First, download the CA cert. Then, open the Settings and search for "cert". Click on the "Manage certificates..." button. From there, click on the "Authorities" tab, and hit the "Import..." button. Select the CAcert.crt file you downloaded, and hit Okay.

The certificates for all we-be-smart domains are signed by the we-be-smart certificate authority. If you wish to trust all certificates signed by we-be-smart, download and install the certificate authority CAcert.crt. Most browsers will automatically correctly install the certificate when you click on that link. If that does not work for you, please refer to the detailed instructions below.


Safari Users:

If you're running Mac OS X 10.5 or later:

  • Download CAcert.crt
  • Double click it, brining up Keychain.app
  • When it asks where you want to import the certificate choose 'login' if you want the certificate only available to your user (or don't have admin access) or 'system' if you want the certificate available to all users.
  • Click import and enter password.
  • When asked, you want to trust the new certificate. You will need to put in your password again. You're done.

If you're running Mac OS X 10.3 or 10.4:

  • Download CAcert.crt
  • Double click it, brining up Keychain.app
  • When it asks how you want to import the cert, make sure X509Anchor is selected
  • Click import, enter password, and you're done

If you're running Mac OS X 10.0, 10.1, or 10.2:

You need to follow a more complicate set of instructions, since Safari did not yet automatically install certificate authorities. To install the we-be-smart CA, download CAcert.der to your desktop and execute the following commands in a shell:

  cd ~/Library/Keychains
  cp ~/Desktop/CAcert.der .
  cp /System/Library/Keychains/X509Anchors .
  certtool i CAcert.der k=X509Anchors d
  sudo cp X509Anchors /System/Library/Keychains/X509Anchors
  

openssl users:

If you want to have your openssl-based apps (e.g. pine-ssl) trust any certificate signed by the we-be-smart certificate authority, do the following:

  • Download CAcert.crt, which is the CA in PEM format.
  • Rename it to 03ebf8c5.0 and put it in your $SSLDIR/certs ( /etc/ssl/certs by default )

By means of explanation: 03ebf8c5 is the x509 hash for the we-be-smart CA. openssl checks $SSLDIR/certs/########.0 (where ######## is the hash of the signing certificate) to see if it trusts a signing certificate.

If you want to verify the hash for the CA after you download it, do

openssl x509 -hash -in CAcert.crt

Mozilla/Firefox/Thunderbird Users:

Just click on the CA cert and follow the instructions that will pop up.


Internet Explorer Users:

Download the CA cert and save it to disk. Then double-click on it. A wizard will pop up and will walk you through installing it—unless you're doing something weird, just press "Next" a bunch of times and then "Finish".

There is a more detailed walkthrough here, but that's for MIT - instead of their cert, use ours.