SSL Warnings from vecna.org

So, you may have tried to connect to one of the SSL-enabled services hosted off vecna.org (HTTPS, SMTPS, Subversion); if so, your browser will most likely have complained about some problem with the SSL certificate.

You're seeing this complaint because Some Guy On The Internet uses CACert.org as a SSL certificate authority. You should as well! Paying for SSL certificates for low-volume, personal use is ludicrous.

If CAcert.org is legit, why is my browser complaining?

As CAcert.org is not a commercial CA, most browsers do not preload its root certificates they way they do with the root certs from, say, VeriSign (remember those asshats?). CAcert.org is working with Mozilla to get root certs into Firefox, but for the time being the solution is to install the certificates yourself.

If you're using Safari

  1. Download the Class 1 cert and the Class 3 cert.
  2. As you download each one, Safari should do the right thing and pass them off to Keychain Access for storage; if not, you'll have to double-click each downloaded file in turn.
  3. When prompted to install each certificate, make sure you install it in the X509Anchors keychain. You must install both certificates before either one of them will appear to be valid.
  4. Once installed, you should be able to access my secure sites without seeing warnings; this configuration will extend to any other applications that store SSL certs in the Keychain (pretty much any Mac app other than Mozilla products).

If you're using Firefox

  1. Download the Class 1 cert and the Class 3 cert.
  2. In Firefox Preferences, select the Advanced pane, then the Authorities pane.
  3. Click Import; when prompted, select the first certificate file.
  4. Repeat this process with the second certificate file; neither certificate will appear valid until you have installed both of them.
  5. Once installed, you should be able to access my secure sites without seeing warnings; this configuration may extend to other Mozilla products, such as Thunderbird.

If you're using some command-line program

  1. Download the Class 1 cert and the Class 3 cert.
  2. Save both certs in some reasonable location (I've found /usr/local/share/ssl is convenient).
  3. Read the man pages to find out how to tell your program where its SSL CA certs are. Ideally you would append the directory where you saved the CAcert.org certs to the certificate search path, since I assume you'd want to connect to other sites besides just mine. :)