Adding trusted root certificates

If a certificate authority (CA) that you use to issue TLS certificates trusts other CAs, you can add certificates for those other CAs to TLS Certificate documents. These certificates are referred to as trusted root certificates and allow clients that present them to be authenticated.

About this task

You create trusted root certificate documents in the Trusted Roots view of certstore.nsf and then select them when you generate TLS certificates. Note that several Let's Encrypt® CA trusted roots are provided and added automatically to TLS certificates that are generated by the Let's Encrypt CA.

To add a trusted root certificate:


  1. Open certstore.nsf.
  2. Select the Trusted Roots view.
  3. Click Add Trusted Root.
  4. Copy the certificate to the clipboard and then click Paste Certificate.
  5. Click Submit Request to add the trusted root certificate to the Trusted Roots view.

What to do next

When you request a TLS certificate, select the Security/Keys tab of the TLS Credentials document. In the Trusted Roots field, select the trusted root certificate you added.

You can also add a trusted root certificate to an existing TLS Credentials document. The trusted root certificate is in effect right away.