Ottix Certificate Authority

To avoid paying fees to Symantec/Verisign or one of the other Certificate Authorities Ottix acts as its own certificate authority. The certificates needed for host name validation are created by the "Ottix Software" CA.

The only problem with the "Ottix Software" CA is that nobody will trust the certificates that are signed by it, leading to the dreaded

    This Connection is Untrusted
error message. So we have to get them to trust us...

Firefox/Safari/IE and other browsers have a built-in list of trusted CAs. Ottix Software is not one of them.

Ottix Sofware root certificate

The list below has three different representations of the Ottix Software root certificate that is used to sign all the server certificates in the domain.

To have your browser trust the certificates you need to import the Ottix CA certificate into your browser. The easiest way is to just select the Certificate from the list below and then say "yes" to importing. The other two items in the list are alternate forms of the certificate.


To import the Ottix CA root certificate in Firefox just click on the certificate link. You should then get a pop-up looking like

    You have been asked to trust a new Certificate Authority (CA).

    Do you want to trust "Ottix Software" for the following purposes?
     * Trust this CA to identify websites.
     * Trust this CA to identify email users.
     * Trust this CA to identify software developers.
    Before trusting this CA for any purpose, you should examine its
    certificate and its policy and procedures (if available).
Check all three boxes and then click "OK".

In Firefox you can see Firefox's certificates by selecting

Preferences --> Advanced --> Encryption --> View Certificates

The "Authorities" tab shows the list of trusted CAs. Once you import the Ottix CA root certificate it will show as an "Ottix Software" entry.

The "Servers" tab shows the domain names whose "This Connection is Untrusted" you've said to accept. These added exceptions detail that actual host/domain certificates that you trust soley because you said so. By accepting the Ottix Software CA you will no longer need to do this for any server in the domain.

Internet Explorer (on Windows 7)

Clocking on the Ottix CA root certificate in Internet Explorer gets a pop-up that says

  Do you want to open or save ottixca-cacert.cer (8.03KB)
with choices of "Open", "Save" and "Cancel". Click on "Open" and a "Certificate" pop-up will appear. Clicking on "Install Certificate ..." brings up the Certificate Import Wizard. The automatic option does not add it to the correct certificate store. Select the 'Place' option and browse to the "Trusted Root Certification Authorities" store.

If you added the certificate to the wrong store or just want to verify that you've added it to the correct certificate store then you need to run the "Microsoft Management Console". So click on the Start icon and enter "mmc" (Microsoft Management Console) into the search box. Select

File --> Add/Remove Snap-in...
and move the "Certificates" to the 'Selected snap-ins' side.

The Ottix Software certificate can be found under

Console Root --> Certificates - Current User -->
         Intermediate Certification Authorities --> Certificates
Drag the Ottix Sofware certificate into the
Console Root --> Certificates - Current User -->
         Trusted Root Certification Authorities --> Certificates
You will then get a "Security Warning" pop-up; click 'yes'.


Using Finder go to Applications -> Utilities -> Keychain