[alcari]

It's scary how easy it is to add new roots on all major platforms. You just click on the CA link and get a response with the appropriate MIME type back, then:

* Windows gives you a helpful little wizard wherein you click "next" a few times.

* Firefox gives you a dialog with 3 checkboxes; check them and click okay.

* iOS sends you to settings, and asks you if you want to trust the given CA.

* OS X hands it to Keychain Access, where you have to select 'trust' from a dropdown and maybe enter a keychain password; it's a bit less intuitive.

* Chrome uses the OS trust store, so it hands it off to the OS while claiming it's a dangerous filetype.

[kojoru]

You're incorrect about Windows. If you just click next several times the cert will not be added to trusted. To do that you'll have to override default settings in a non trivial way (deselect "Choose cert store automatically" and select the correct cert store) on one of the steps

I'm sure that's intentional design

[alcari]

Maybe it changed at some point (8?), or my memory's fuzzy. I haven't looked at it in several years.

Either way, trusting a root CA generally looks far less threatening than the self-signed certificate warnings.