Trusted roots

Trusted roots are the foundation upon which chains of trust are built in CA certificates. Underlying a certificate issued by a certificate authority is a root, self-signed certificate. There can also be intermediate certificates in the chain. In Activator, trusting a CA root means you trust all certificates issued by that CA. Conversely, if you elect not to trust a CA root, Activator does not trust any certificates issued by that CA. Document trading fails in Activator when a non-trusted certificate is used.

The self-signed certificates you can generate in Activator are root certificates. This is because you are, in effect, your own CA when you generate a self-signed certificate. Activator by default trusts the self-signed certificates that it generated for you. Activator also by default trusts the roots of the CA‑issued certificates of a community's partners.

The Trusted root certificates tab in the user interface displays all of the root certificates that your community trusts, including those of certificate authorities.

Activator is pre-loaded with intermediary and trusted root certificates in <install directory>\conf\certs. The pre-loaded roots are not trusted, but are simply available in the certificate store for validating end-entity certificates as they are imported and used.

Import root certificates

Importing a trusted root is a task that rarely, if ever, must be performed. You might have to import a trusted root if, for example, your partner sends you a CA-issued certificate and your system does not have the trusted root for it. In such a case, document trading would fail. As a solution, you would need to import the root underlying the certificate and trust it.

Activator can import trusted roots contained in files with the following extensions: .cer, .crt, .der, .p7b and .p7c. Using a directory hierarchy, as Activator does in \conf\certs, is recommended for arranging certificates by issuer.

There are various ways you can obtain such trusted root files:

• You can use Activator to export a certificate file with an extension of .p7c. See Export a certificate to a file.
• You can check whether trusted root files are available for download on the website of the public CA that issued the certificate.
• If the certificate was issued by an in-house CA such as Entrust, you can ask the CA administrator for a trusted root file.
• If the certificate is present in a browser, you can use the application's trusted roots option to export the trusted root to a file.

Trusted root certificate files can be imported one by one in the user interface. Alternately, you can copy trusted roots en masse to <install directory>\conf\certs, where the certificates are loaded when the server is restarted. See Auto import intermediate and root certificates.

When you import a trusted root for a certificate to Activator, we recommend that you compare the MD5 fingerprints in both the trusted root and the certificate to verify that they match.

Related topics

• PKI description
• Why use encryption and digital signatures
• Activator encryption method
• Encryption and signing summary
• Ensure data integrity and trust
• Certificate basics
• SSL authentication
• Distribute certificates to partners
• Self-signed or CA certificates
• When to get certificates
• Manage expiring certificates
• Auto import intermediate and root certificates
• FIPS compliance