Editor’s note: This post is written by Brian S., a pen test manager on ExpressVPN’s cybersecurity team.
Digital certificates are the foundation of trust on the internet. They’re what your device uses to confirm that a given site, connection, or file is what it claims to be.
At the very heart of the system are Trusted Root CA certificates. For the uninitiated, a Trusted Root CA is a certificate installed on your computer that tells it which to trust. A company that installs its own Trusted Root CA has enormous power over your device or communications, because it can create a certificate that can pretend to be just about any other entity you might interact with.
That’s why we will never install our own Trusted Root CA on your device, with or without your permission. Though it could be convenient for us, making things easier and cheaper, it’s a power we don’t need, don’t want, and don’t believe any VPN has a right to ask for.
In this article, we’ll explain what a Trusted Root CA is and what could go wrong if a VPN (or other) company installs its own.
A cautionary tale
The installation of a Trusted Root CA poses significant privacy and security risks. Despite that, it’s a practice that we’ve unfortunately seen from other companies, including VPN providers.
Other companies installing Trusted Root CAs may have different intentions, for better or for worse, but regardless, it’s a dangerous amount of control and access to hand over to a third party.
We believe that Trusted Root CAs should only come from organizations that are regularly audited and included on recognized lists of well-known certificate authorities—not third parties. Ensuring our company, employees, and customers maintain the best security posture they can is a core tenet of our business.
What is a Trusted Root CA?
Trusted Root CAs are crucial to everyone’s privacy and security because they ensure that the service or software you are using has been created by a legitimate, well-known party that you trust. We need to establish this type of trust to:
At the center of this trust model lies public key cryptography, TLS certificates, and certificate authorities (CAs for short). For a quick refresher on how these work, give our recent blog post on these topics a read.
A CA is the origin of trust within the Public Key Infrastructure (PKI) model. It is the authority of a trust hierarchy used to validate all the other certificates in the certificate chain. Within the context of your computer, a Trusted Root CA is a Root CA certificate installed on and by your computer to verify the authenticity of other certificates. Examples of certificates that need verification are those used for TLS on the websites you visit or the signatures on the software you install.
All modern computers and browsers come with a limited set of pre-installed Trusted Root CAs. As of April 2022, the Firefox web browser includes Trusted Root CAs from 54 organizations, including Amazon, DigiCert, GlobalSign, GoDaddy, Google, Microsoft, and Sectigo (Comodo). All Trusted Root CA organizations whose certificates are pre-installed must undergo regular external auditing to ensure that they hold an elevated security posture commensurate with the criticality of this responsibility.
However, you can also add other certificates to be used as Trusted Root CAs by your computer for various purposes, like authentication to an internal company website. These CAs are not subject to the same level of security scrutiny as the limited set pre-installed on your computer.
Can someone create their own CA?
Yes, anyone is able to create a certificate that can subsequently be used to verify the authenticity of the certificates they create with this CA. But your browser or computer won’t trust them unless they have been explicitly added as Trusted Root CAs to your computer or mobile device.
Any website or software signature that uses a certificate issued by the list of Trusted Root CAs on your computer won’t be trusted, and you’ll receive a warning that someone may be trying to intercept your communications or install untrusted software.
What are the risks of installing a Root CA as Trusted?
Given that a Trusted Root CA is entrusted to verify other certificates, affirm the authenticity of software and websites, and keep your communications safe from prying eyes, the installation of additional Root CAs potentially undermines the security of all your software and communications. When you install a Trusted Root CA, you are trusting the separate, potentially malicious, authority that created the Root CA to:
Assuming the entity that created the CA is not malicious and you trust it to safely perform the above functions, you’re also trusting it to keep that Root CA’s private key safe, which is not an easy task.
If the private key is compromised, anyone who has access to it can:
Over the years, a number of supposedly well-protected CA private keys have been compromised, most notably in the case of . It’s also unlikely you would ever know that the CA’s private key was compromised, potentially allowing the compromise to last indefinitely.
Finally, we consider the installation of third-party Trusted Root CAs so toxic, we don’t even use them in our own corporate IT operations. We take privacy seriously, including the privacy of our own employees. This is a departure from many corporate IT products and systems that require the installation of Root CAs to validate their own servers or inspect traffic. We consistently screen vendors for such egregious requirements and eliminate them if they require Root CAs. That means we sometimes limit our capabilities in managing or securing our endpoints, and we think that’s an acceptable approach in the name of privacy. We have developed other ways to ensure our corporate assets remain secure and managed.
What is a Trusted Root CA store?
Ensure the certificate that you would like to convert is first imported to the certificate store. In this way, you can export and save it in the desired format.
On the Welcome to Certificate Import Wizard, Click on Next as shown below.
Browse to the file you would like to import and click on Next
Note: Remember to select the wildcard file type, or else this might not work. Place the certificate in the Personal certificate store.
Complete the Certificate Import Wizard as shown below
If successfully imported, you will get a certificate Import Wizard Success.
Additional piece if you are interested
The certificate store is central to all certificate functionality. The certificates are managed in the store using functions with a «Cert» prefix. Certificates, CRLs, and CTLs can be kept and maintained in certificate stores. They can be retrieved from a store where they have been persisted for use in authentication processes.
Certificates in a certificate store are normally kept in some kind of permanent storage such as a disk file or the system registry.
Certificate stores can also be created and opened strictly in memory. A memory store provides temporary certificate storage for working with certificates that do not need to be kept.
I hope you found this blog post helpful on how to Import certificates into Trusted Root and Personal certificate store. If you have any questions, please let me know in the comment session.