Non-profit, member-based IT support for research & educational institutions
Strategic and Practical FAQ -- Using Digital Certificates

Loading the CREN Root Certificate into Your Browser

Draft 1.7, August 5, 2001

1. What is the CREN root certificate?

The CREN root certificate is a digital document containing the public key portion of the CREN self-signed certificate.

2. Why do I want to know how to load the CREN root into my browser?

You want to know how to load the CREN root into your browser because it provides you with some control over which servers you authorize your browser to interact with. Your browser comes preloaded with dozens of root certificates in the Security Module. These certificates �certify� servers to your browser.

3. Is it hard to load the CREN root into my browser?

No. Downloading the CREN Root Certificate into your browser is very straightforward, similar to installing a plug-in. Here is how to do it.

* At www.cren.net, click on "Download the CREN Root to your Browser" link.

* The browsers handle the certificate loading and naming slightly differently. Here is how they are different.

-In Netscape, the browser checks to see if the CREN root is already in your browser. If it is not, the browser presents a series of dialogue boxes that asks if you want to install this certificate into your browser Security Module. After clicking through the dialogue boxes, the Netscape browser presents a dialogue box that allows you to create a �User Friendly" name for the certificate. (We recommend that you use the name �CREN CA.�).

- In Internet Explorer, the browser also presents a series of dialogue boxes.� The one potentially confusing dialogue box presents the choice of opening the certificate file from the current location or saving it to disk.The recommended choice is to select the choice, �Open this file�.� and click OK. Then click the"Install Certificate" button in the next window.

4. How do I know if I have successfully downloaded the CREN root?

After you install the CREN CA root in your browser it appears in your list of CA Signers. To see the certificate, here is what to do.

In Netscape, click on the Security Icon in the toolbar, click Signers and find the CREN CA in the list. You can then choose to"Verify" or "Delete" the certificate. An"Edit" button also allows you to check to enable the use of this certificate for three purposes, certifying network servers, certifying e-mail users, and certifying software developers.

- In Internet Explorer, click on Tools, Internet Options, Content and Certificates and choose the Trusted Root Certification Authorities. Look for the �Education and Research Client CA�.This is the name assigned to the CREN Root in IE. To give it a �Friendly Name�, you would have to click on the Details tab and choose Edit Properties.This is also where you will be able to change the intended use of this certificate.

5. How do I know if I have downloaded the valid CREN root and not a bogus one?

Just as it is easy to see the CREN Root Certificate in your browser after you have downloaded it, it is also possible to verify that the certificate is the valid CREN root certificate. The way to do this is to check its fingerprint or thumbprint against the publicly distributed one.

The browsers handle the algorithms of the certificates differently. However, among the many possible combinations of browser and operating systems that are possible, you should see one of the following thumbprints or fingerprints.

6. Is the thumbprint or fingerprint of the CREN root Certificate posted anywhere else?

The best way to ensure that bogus certificates do not proliferate is to post the thumbprints/fingerprints of root certificates broadly. Thus, the thumbprint /fingerprint of the CREN root are or will soon be posted on other higher education sites.

7. Can I see screen shots of this process anywhere?

Yes. There are detailed step-by-step instructions with screen shots for this process for Internet Explorer and Netscape posted at www.cren.net/ca.

8. Do users need the CREN root certificate installed in their browsers for the access of JSTOR using digital certificates?

No, the JSTOR server will have the CREN root certificate installed. Users will only need their digital certificate that has been issued to them by their institution and their digital certificate password. However, users may need the CREN root installed in their browsers for using other web applications.

Please send comments/suggestions to cren@cren.net