Root Certificate Authority

Public Certificate Authority

Unless your browaser already supports DANE, you'll need update your root CA's!.

Click the big certificate below to install the Pacy World TDMC, Inc. root CA n your browser. For a detailed explanation on what this is continue reading.

Most users should only need to install the individual root certificate (Root CA).

Pacy World, TDMC
Root CA

Combined Root & Intermediate or Individual Intermediate

July 2018

Bootstraping the Pacy World Root CA requires manual verification to prevent Man-in-the-Middle attacks. Use the fingerprint below to verify your download.

SHA256 Fingerprint: 22d07a03345496ea9dc3ee767c991117e355405cab8d13e98d192474ef0296ce

Root CA Installation & Verification

FreeBSD (12.2+)

1. Download & Verify:

fetch -qo /tmp/alt_ca.crt \
    http://cdn.pacyworld.com/pacyworld.com/ca/alt_ca-morante_root.crt
sha256 -q /tmp/alt_ca.crt

3. Install:

mv /tmp/alt_ca.crt /usr/share/certs/trusted/alt_ca-morante_root.pem
certctl rehash

FreeBSD One-Liner

fetch -qo /tmp/ca.crt http://cdn.pacyworld.com/pacyworld.com/ca/alt_ca-morante_root.crt && [ "$(sha256 -q /tmp/ca.crt)" = "22d07a03345496ea9dc3ee767c991117e355405cab8d13e98d192474ef0296ce" ] && mv /tmp/ca.crt /usr/share/certs/trusted/alt_ca-morante_root.pem && certctl rehash || echo "FAILED"

Debian / Ubuntu

1. Download & Verify:

wget -qO /tmp/alt_ca.crt \
    http://cdn.pacyworld.com/pacyworld.com/ca/alt_ca-morante_root.crt
sha256sum /tmp/alt_ca.crt

2. Install:

sudo mv /tmp/alt_ca.crt /usr/local/share/ca-certificates/alt_ca-morante_root.crt
sudo update-ca-certificates

Fedora / RHEL / CentOS / Rocky Linux

curl -so /tmp/alt_ca.crt \
    http://cdn.pacyworld.com/pacyworld.com/ca/alt_ca-morante_root.crt
sha256sum /tmp/alt_ca.crt
sudo mv /tmp/alt_ca.crt /etc/pki/ca-trust/source/anchors/alt_ca-morante_root.crt
sudo update-ca-trust extract

MacOS

1. Download and Verify:

curl -so ~/Downloads/alt_ca.crt \
    http://cdn.pacyworld.com/pacyworld.com/ca/alt_ca-morante_root.crt
shasum -a 256 ~/Downloads/alt_ca.crt

2. Install to System Keychain:

sudo security add-trusted-cert -d -r trustRoot -k \
    /Library/Keychains/System.keychain ~/Downloads/alt_ca.crt

Other Linux (or older FreeBSD)

Users of these older operating systems can add the above certificates to the local /etc/ssl/cert.pem file.

Windows

Microsoft Windows 10/11 users can instead download and run the following update package. (note, you will get a TLS certificate error)

pacyworld-root-ca.ppkg

1. Download and Verify the Package:

$url = "http://cdn.pacyworld.com/pacyworld.com/ca/pacyworld.ppkg"
$path = "$env:USERPROFILE\Downloads\pacyworld.ppkg"
Invoke-WebRequest -Uri $url -OutFile $path
Get-FileHash -Algorithm SHA256 $path

2. Verify Hash Integrity:

PPKG SHA256: 221D9FC9E23A8B732374507C1D5F484128D361B2805315CBA41831AF23B5B085

3. Installation:

Double-click the pacyworld.ppkg file in your Downloads folder.
When the "Is this package from a source you trust?" prompt appears, click Yes, add it.
This will automatically install and trust the Root CA.

Android (7.0+)

Note: Android requires manual installation through System Settings.

Download: Tap to download the Root CA Certificate.
Verification:
Open the downloaded file with your system's "Certificate Installer." Before tapping install, select View Details and verify the SHA-256 fingerprint matches:
22:D0:7A:03:34:54:96:EA:9D:C3:EE:76:7C:99:11:17:E3:55:40:5C:AB:8D:13:E9:8D:19:24:74:EF:02:96:CE
Install:
- Follow the prompts: Open Settings > Security > Advanced (or Encryption & credentials or More Security).
- Tap Install from storage (or "Install a certificate").
- Select CA certificate
- Select the downloaded alt_ca-morante_root.crt file
- If a warning appears, tap Install Anyway

Warning: Some older versions of Android have a bug and will display "Your network may be monitored.". It safe to ignore the misleading incorrect message.

Older Android

If you are installing the Pacy World Root CA on Firefox for Android tap the icons below:


Pacy World Legacy Root July 2015	Pacy World, TDMC Root CA July 2018

iOS (iPhone / iPad)

Note: You must complete all three steps for the certificate to work.

Download: Tap to download the Root CA Profile. Tap Allow.
Verify Fingerprint:
- Go to Settings > Profile Downloaded.
- Tap More Details.
- Under FINGERPRINTS, ensure the SHA-256 matches:
  22d0 7a03 3454 96ea 9dc3 ee76 7c99 1117 e355 405c ab8d 13e9 8d19 2474 ef02 96ce
Install & Trust:
- Tap Install (top-right). Enter passcode and confirm.
- Go to Settings > General > About > Certificate Trust Settings.
- Toggle Pacy World Root CA to ON.

Detailed Explanation

If you are having problems loading web pages and the error message is similar to "This connection is Untrusted", then your web browser does not support DANE and is missing root certificates.

Connection is Untrusted

A website that uses encryption to protect your privacy and sensitive information relies on something called a TLS certificate chain in order to validate the content is indeed from the original source.

Unfortunately due to the design of the current implementation of TLS certificates, many web browsers are highly dependant on centralized entities called "Certificate Authorities" (CA) to make this work. It's impossible for a web browser vendor to a pre-load every CA in existence, your browser vendor may simply not know about them.

DANE which stands for "DNS-based Authentication of Named Entities", is a technology that decentralizes the validation of a TLS certificate chain. Thus removing the need for software like a web browser to have to keep a local store of Root CA's. This is still a new emerging technology and not all browsers support it as of 2024.

It's up to you (the end user) to install any missing CA's so that you can properly open web pages. You may also want to kindly send a note to your browser vendor informing them of the CA's they missed so that other users won't have to go through the same trouble you did. Usually this is done in the form of a bug report or support ticket.

Your website will like it here®