Download and install root certificates - Certificate Management Service

A root certificate is the foundation of an SSL/TLS trust chain and verifies all subordinate certificates (including intermediate certificates and server certificates) issued by a certification authority (CA). Mainstream browsers and operating systems typically include pre-installed root certificates from trusted CAs. However, in environments such as mobile apps, Java clients, legacy systems, or Internet of Things (IoT) devices, a missing root certificate can cause HTTPS connection failures or insecure warnings. This guide provides download links and installation steps for root certificates from various brands to help you establish trust on these clients, ensuring the security and availability of SSL/TLS communication.

Usage notes

This topic applies to client environments that require manual installation of a root certificate:

Mobile apps: Apps with custom trust stores that do not sync with the system or browser's list of root certificates.
Java clients: Applications that use an independent Java KeyStore (cacerts) and do not rely on the operating system's trust store.
Legacy operating systems or browsers: Older systems, such as Windows XP or Android 4.x, that do not have pre-installed root certificates from newer CAs.
Internet of Things (IoT) devices and embedded systems: Resource-constrained devices that typically include a limited set of root certificates.
Internal network environments: Systems using a private CA whose root certificate is not included in public trust stores.
Specific compliance or security policies: Environments that require explicit control over the list of trusted CAs.

Important

For modern browsers (Chrome, Firefox, Safari, Edge) and operating systems (Windows 10/11, macOS, Android 8+, iOS 12+), manual installation is typically unnecessary when using certificates from mainstream CAs such as DigiCert or GlobalSign. The root certificates are pre-installed, and the system updates them automatically.

Download root certificates

Note

If you are installing a root certificate from an internal enterprise CA, skip this step and proceed directly to Install root certificates.

Download links for root certificates by brand

Download the appropriate root certificate based on the SSL certificate brand (for example, DigiCert or GeoTrust) and certificate type (DV/OV/EV) used on your server. For example, if your server uses a DigiCert OV SSL certificate, download the corresponding DigiCert OV root certificate.

Certificate brand	Root certificate download
DigiCert	Note Starting December 1, 2024, DigiCert will begin issuing SSL certificates from a new root and intermediate certificate chain. For more information, see Announcement on DigiCert Root Certificate Replacement. DigiCert_DV_OV_ROOT Digicert_Global_Root_G2_DV_OV (New - Cross-root) DigiCert_Global_Root_G2_DV_OV (Old - Transitional) DigiCert_DV_OV_ROOT (Old) DigiCert_EV_ROOT
GlobalSign	GlobalSign_DV_OV_ROOT GlobalSign R1-R3 Cross-root
Alibaba Cloud	Note Starting September 18, 2025, Alibaba Cloud will begin issuing its branded SSL certificates using a new root and intermediate certificate. For more information, see [Announcement] Alibaba Cloud Brand Certificate Root Update Announcement. TLS Root R46 Root Certificate GlobalSign Cross Certificate R3-R46 Alibaba Cloud GCC R46 AlphaSSL CA 2025

DigiCert root certificate compatibility

Operating system or browser	DigiCert Global Root CA (old)	DigiCert Global Root G2 (old - transitional)	DigiCert Global Root G2 (new - cross-root)
Fingerprint	a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436	df3c24f9bfd666761b268073fe06d1cc8d4f82a4	8bf7f178a745a11bac6ae5b586fc1838eadcb2cf
Windows (Internet)	Windows XP SP3+
Windows (Internal network)	Windows 7+	Windows 8+	Windows 7+
macOS	Mac OS X 10.6+	Mac OS X 10.10+	Mac OS X 10.6+
iOS	iOS 4.0+	iOS 7.0+	iOS 4.0+
Firefox	Firefox 2+	Firefox 32+	Firefox 2+
NSS	NSS 3.11.8	NSS 3.16.3	NSS 3.11.8
Android	Android 1.1+	Android 5.0+	Android 1.1+
Chrome	Starting with Chrome 108, Chrome uses its own trust store. Earlier versions rely on the operating system's trust store.
Java	JRE 1.4.2_17+	JRE 1.8.0_131+	JRE 1.4.2_17+

Install root certificates

Install a root certificate on an operating system

Windows

The following steps use Windows 10 as an example.

Open the Microsoft Management Console (MMC).
Press Win+R to open the Run dialog box. Enter mmc and click OK to open the MMC console.
Add the Certificates snap-in to the MMC console.
1. In the menu bar at the top of the console, choose File > Add/Remove Snap-in.
2. In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins list on the left and click Add.
3. In the Certificates snap-in dialog box, select Computer account, and then click Next.
4. In the Select Computer dialog box, select Local computer (the computer this console is running on), and click Finish.
Import the root certificate.
1. In the left navigation pane of the MMC console, expand Certificates (Local Computer).
2. Select the destination folder, such as Enterprise Trust. Right-click the folder and choose All Tasks > Import.
  Note
  - Personal: Stores certificates for the current user or computer.
  - Trusted Root Certification Authorities: Contains root certificates from CAs that the operating system trusts by default.
  - Intermediate Certification Authorities: Stores intermediate certificates that link server certificates to a trusted root.
  - Enterprise Trust: Stores certificates from an internal enterprise CA, trusted only within the organization's network.
3. Follow the on-screen instructions to complete the certificate import.

macOS

The following steps use macOS 12.5.1 as an example.

Open the macOS system Launchpad.
In the Launchpad search box, enter Keychain Access, and then click Keychain Access.
On the Keychain Access page, click the Certificates tab.
Drag the downloaded root certificate to an empty area on the Certificates tab in Keychain Access. macOS automatically verifies the root certificate.
Note
To download a root certificate, see Download root certificates.
Right-click the newly added root certificate and click Get Info.
On the certificate information page, select Always Trust and click the icon.

Linux

The specific paths and commands for installing a root certificate on Linux systems vary by distribution. The following sections provide examples for CentOS/Red Hat and Ubuntu/Debian.

CentOS/Red Hat

Install the system CA certificates package.
```
sudo yum install ca-certificates   
```
Copy the root certificate file to the system's trust source directory.
Path: /etc/pki/ca-trust/source/anchors/
Update the certificate trust store.
```
sudo update-ca-trust extract
```
The system regenerates the trust bundle at /etc/pki/tls/certs/ca-bundle.crt.
Verify the certificate. Use OpenSSL to test the HTTPS connection to your domain.
```
openssl s_client -connect example.com:443 -CAfile /etc/pki/tls/certs/ca-bundle.crt
```
Note
Verification points:
- The output should contain your certificate chain information.
- If the connection is successful and ends with Verify return code: 0 (ok), the certificate is trusted.

Ubuntu/Debian

Install the system CA certificates package.
```
sudo apt install ca-certificates
```
Copy the root certificate file to the system certificate directory.
Path: /usr/local/share/ca-certificates/
Update the certificate trust store.
```
sudo update-ca-certificates
```
The system automatically merges the new certificate into the system root certificate file /etc/ssl/certs/ca-certificates.crt.

Verify the certificate.

Use OpenSSL to verify the certificate file itself:

# Use the following command to check if the certificate file is in the trust store. Replace your-certificate.crt with your root certificate file name.
openssl verify /usr/local/share/ca-certificates/your-certificate.crt

If the output is /usr/local/share/ca-certificates/your-certificate.crt: OK, the verification is successful.

Check for the symbolic link:

# Check if a corresponding .pem symbolic link file is generated in the directory. Replace your-certificate with your root certificate file name.
ls -la /etc/ssl/certs | grep your-certificate

Install a root certificate in a browser

Note

For browsers that use the system's trust store (such as Chrome, Edge, and IE on Windows), we recommend importing the root certificate into the operating system instead of a single browser. The steps in this section apply to scenarios where you need to configure a root certificate for a specific browser only.

Google Chrome

Note

This section uses Windows 10 and Chrome 138.0.7204.102 (64-bit) as an example. This section uses Windows 10 as an example.

Import the root certificate into the Chrome browser.
1. Open the Chrome browser, click the icon in the upper-right corner, and select Settings.
2. In the left navigation pane of the Settings page, click Privacy and security.
3. On the page that appears, click Security > Manage certificates > Manage certificates imported from Windows.
4. In the Certificate Manager window, switch to the Trusted Root Certification Authorities tab.
5. Click the Import button in the lower-left corner. Follow the prompts to select and import the root certificate file. After a successful import, an Import Successful message is displayed.
Verify the import.
1. Check whether the target root certificate was successfully imported to the selected path.
2. Restart the Chrome browser.
3. Access the target website and check that security warnings, such as untrusted certificate prompts, no longer appear.

Microsoft Edge

Note

This section uses Windows 10 and Microsoft Edge 92.0.902.67 (64-bit) as an example.

Import the root certificate in the Edge browser.
1. Open the Edge browser, click the icon in the upper-right corner, and select Settings.
2. On the Settings page, select the Privacy, search, and services tab.
3. Scroll down to the Security section and click Manage certificates. The Windows Certificate Manager dialog box opens.
4. In the Certificates window, switch to the Trusted Root Certification Authorities tab.
5. In the lower-left corner, click the Import button. Follow the prompts to import the root certificate file. An Import Successful message is displayed upon completion.
Verify the import.
1. Confirm that the target root certificate was successfully imported to the selected path.
2. Restart the Edge browser.
3. Access the target website and check that security warnings, such as untrusted certificate prompts, no longer appear.

Mozilla Firefox

Note

This section uses Windows 10 and Firefox 142.0.1 (64-bit) as an example.

Import the root certificate in the Firefox browser.
1. Open the Firefox browser, click the icon in the upper-right corner, and select Settings.
2. On the Settings page, click the Privacy & Security tab.
3. Scroll down to the Certificates section and click View Certificates. The Certificate Manager dialog box opens.
4. In the Certificate Manager, click the Authorities tab and then the Import button.
5. Follow the prompts to select the root certificate file and complete the import.
Verify the import.
1. On the Authorities tab, check the Certificate Name column to verify that the selected root certificate was imported successfully.
2. Restart the Firefox browser.
3. Access the target website and check that security warnings, such as untrusted certificate prompts, no longer appear.

Internet Explorer

Note

This section uses Windows 10 and Internet Explorer 11.1.20348.0 as an example.

Import the root certificate in the IE browser.
1. Open Internet Explorer, click the icon in the upper-right corner, and select Internet Options.
2. In the Internet Options window, click the Content tab.
3. Click the Certificates button to open the Certificate Management interface.
4. In Certificates window, select the Trusted Root Certification Authorities tab.
5. Click the Import button in the lower-left corner and follow the prompts to import the root certificate file.
Verify the import.
1. Check whether the target root certificate was successfully imported to the selected path.
2. Restart the IE browser.
3. Access the target website and check that security warnings, such as untrusted certificate prompts, no longer appear.

Risk assessment

Security risks
- Untrusted sources: Obtain root certificates only from official or authoritative channels. Installing a root certificate from an unknown source can lead to malware injection or a Man-in-the-Middle (MITM) attack, severely compromising system security.
- Operational errors: Importing a certificate to the wrong storage location or importing an incorrectly formatted certificate file can disrupt the system's trust chain or cause application connection failures.
Compatibility and maintenance costs
- System/application version limitations: Some legacy operating systems or applications may not support new root certificate algorithms or standards, or they may require an upgrade for compatibility.
- Root certificate expiration or changes: Root certificates have an expiration date. When a root certificate is about to expire or a CA switches to a new one, you must update the root certificate on all relevant clients to maintain a valid trust chain.
Bulk deployment costs
- Manually installing root certificates on a large number of heterogeneous devices is inefficient and error-prone. We recommend using automated scripts or configuration/device management tools for bulk deployment and unified maintenance.

FAQ

Do I need to redeploy the root certificate after my SSL certificate expires?

Generally, no.
Renewing your server's SSL certificate does not affect the root certificate on the client. For root certificates from trusted CAs pre-installed in mainstream browsers and operating systems, the OS or browser handles updates automatically through its update mechanism. You do not need to manually redeploy them.
Redeployment may be required in some cases.
For clients that require manual installation (such as mobile apps with custom trust stores, standalone Java clients, or IoT devices), you may need to redeploy a root certificate in the following situations:
- You changed the certificate brand or type (for example, from DV to OV) when renewing your SSL certificate, and the new certificate chains up to a different root.
- The original root certificate expired, or the CA announced a switch to a new root certificate.
In these scenarios, you must download the new root certificate that matches your server's certificate chain and manually install it on the affected clients.

How do I install an intermediate certificate?

The process for importing an intermediate certificate is similar to importing a root certificate. Follow the steps in the Install root certificates section of this document, but select the appropriate certificate store for intermediate certificates. In Windows, this is typically the Intermediate Certification Authorities store. In Firefox, import it to the Authorities tab.

Why does my Java client get an HTTPS connection error?

If a Java client cannot access an HTTPS service, the cause is often a missing root or intermediate certificate in the JRE's trust store (cacerts). For troubleshooting and resolution, see Java client fails to access HTTPS.