The browser warning is the point.

Why your browser warned you

Every HTTPS website you visit is signed by a certificate authority (CA) that your browser trusts by default. The browsers ship with a list — Chrome, Firefox, Safari, and Edge all trust roughly the same 200 CAs out of the box. Almost all of them are foreign-owned: Let's Encrypt (US, ISRG), DigiCert (US), GlobalSign (Belgium and Japan), Sectigo (UK), Google Trust Services (US).

AloomU's thesis is that an Australian sovereign cloud cannot delegate its cryptographic identity to a foreign-owned authority. The same root key that signs aloomu.au's TLS certificate signs every workload's per-deploy attestation artefact — the load-bearing crypto behind the service we sell. If a foreign authority signed our public surface, every customer who took our attestation seriously would have to ask why we trust ourselves more than we trust our own marketing site.

So we run our own root CA, our own intermediate CA, our own end-entity certificates. The root signs only the intermediate. The intermediate is name-constrained to *.aloomu.au, *.aloomu.com, *.aloomu.com.au, and *.aloomu.io. The intermediate signs end-entity certificates with 90-day validity, ECDSA-P384 keys.

Browsers don't ship with the AloomU root in their trust store, and they shouldn't — we haven't been audited under WebTrust for CAs, we don't pay the seven-figure annual cost to be in the public list, and we're not asking the browser vendors to trust us by default. We're asking you to trust us, after you've verified the cert fingerprint matches what's published below.

This is what sovereign trust actually looks like: explicit, verified, owned. The browser warning is the moment the abstraction becomes concrete. We could have skipped it by buying a foreign-rooted certificate for $0 a year. We chose not to.

Installing the AloomU root CA

Once installed, every browser on your device trusts aloomu.au and our sibling domains by default — no more warnings.

Step 1 — Download the root certificate

aloomu-root-ca.pem (2 KB, PEM format)

Step 2 — Verify the fingerprint before installing

Open a terminal and run:

openssl x509 -in aloomu-root-ca.pem -noout -fingerprint -sha256

The output should match exactly:

SHA256 Fingerprint=41:13:79:E3:2B:1D:C1:5E:7D:63:AF:AE:10:83:2E:87:63:64:1F:81:25:07:AE:5C:A6:82:23:71:CE:8C:5B:EC

Don't trust the website's word for the fingerprint — verify the published fingerprint at /.well-known/aloomu-ca-fingerprint.txt matches what's printed on this page, and that both match what your local openssl command says about the file you just downloaded. If any of them differ, do not install. Contact admin@aloomu.au.

Step 3 — Install per your operating system

Windows

1. Right-click aloomu-root-ca.pem → Install Certificate.
2. Select Local Machine (requires admin) → Next.
3. Select Place all certificates in the following store → Browse → Trusted Root Certification Authorities → OK.
4. Next → Finish. Confirm the security warning that displays the AloomU fingerprint.

This trusts AloomU for Edge, Chrome, and any application that uses the Windows certificate store. Firefox uses its own store — see below.

macOS

1. Double-click aloomu-root-ca.pem to open it in Keychain Access.
2. Select the System keychain (or Login for current-user only).
3. Find AloomU Root CA 2026, double-click it.
4. Expand Trust, set When using this certificate to Always Trust. Close (you'll be prompted for your password).

This trusts AloomU for Safari, Chrome, and Edge. Firefox uses its own store.

Firefox (any OS)

1. Open Firefox → Settings → Privacy & Security → scroll to Certificates → View Certificates.
2. Import → select aloomu-root-ca.pem.
3. Tick Trust this CA to identify websites. OK.

iOS

1. Email or AirDrop aloomu-root-ca.pem to your device. Tap to install.
2. Settings → General → VPN & Device Management → install the AloomU profile.
3. Settings → General → About → Certificate Trust Settings → toggle AloomU Root CA 2026 to ON.

Android

1. Download aloomu-root-ca.pem to your device.
2. Settings → Security (or Encryption & credentials) → Install a certificate → CA certificate.
3. Select the downloaded file. Confirm.

On modern Android (10+), apps must opt-in to user-installed CAs in their network security config. Browsers do; many apps don't. AloomU's surface is web-only today, so this is sufficient for visiting our sites.

Linux (system-wide, Debian / Ubuntu)

sudo cp aloomu-root-ca.pem /usr/local/share/ca-certificates/aloomu-root-ca.crt
sudo update-ca-certificates

Verifying the cert chain after install

After installing, visit https://aloomu.au in a fresh browser tab. The padlock should display green (or whatever your browser uses for "secure"), and inspecting the certificate should show:

• Issued to: aloomu.au
• Issued by: AloomU Intermediate CA 2026
• Issuer of intermediate: AloomU Root CA 2026
• Root cert SHA-256: matches the fingerprint above

Three layers, all AloomU. No foreign authority in the chain. That's what 100% Australian-owned means at the cryptographic layer.

Don't trust us blindly

A sovereignty pitch is worth what its verification mechanism is worth. The AloomU root certificate is published; the fingerprint is published; the openssl verification command is documented above. If anything we publish doesn't match what your local tools say, contact admin@aloomu.au immediately. Sovereign cryptography survives only if it's verified, not assumed.

For deeper technical context: the cert chain we serve, the AloomU CA architecture, the per-deploy attestation product that uses the same root key, and the security threat model are documented at our public infrastructure repository (link to be published when our self-hosted Forgejo at git.aloomu.au opens for public read access — currently in build).

Stage-0 disclosure

AloomU is at Stage-0 lab posture as of 2026 May. The root certificate was generated on the operator's workstation rather than on dedicated air-gapped hardware. Production-grade ceremony — fresh root key generated on an air-gapped machine, two cold-storage copies on encrypted media at separate physical locations, the operator workstation never seeing the root again — lands when the Macquarie Data Centres Sydney production substrate commissions in 2026 Q4 (charter milestone M6). The current root cert will be retired and replaced at that point.

Customers and visitors who install the current root accept that disclosure. The architectural pattern (own CA, name-constrained intermediate, short-lived end-entity certs, published fingerprint) does not change at M6 — only the ceremony rigour does.