Team Reports 2020/2021

Team Leaders are encouraged to present a report for their team. (alphabetic order)

19 = Text from 2019 or 2020, please replace!

AffiliateProgramme – Hotel-buchen-Portal

This webshop with T-shirts, caps, mugs and more is run by secureU, a partner association from CAcert in Germany. The benefit is sent to us or used to pay bills for us.(Ru)


Since April 2018, CAcert has Amazon Affiliates links. Unfortunatley, there are different links for each different language/shop:


On the wiki, we have Google Ads on the top corner. To help CAcert, please allow your adblocker to show this ads. They are small, discrete and do not disturb you while writing or reading on the wiki.




Audit Team

Critical System Administrator Team

On-site work

Outages of critical hard/software

Day to day operation

Regular system administration activities resulting in site visits or software updates of one or more of the critical systems are dutifully reported on the public systemlog mailinglist with archives kept at . We refer the interested reader to those resources rather than duplicating or summarizing the information here.

Current status

Future outlook

To avoid any outages of the critical infrastructure there there is a decision to activate sun1 again and to add a second signer machine (hot standby) to the environment.

But without a fully functioning CAcert software development team, no changes to the application code have occurred in the past three years. Thus the CAcert application (written in PHP) is locking CAcert into an old and soon obsolete version of the Debian OS. In April 2018 we did complete the upgrade of the webdb server to Debian Jessie, the "oldstable" release from Debian. As predicted in last year's report: this causes a permanent stream of PHP warning messages in the Apache logfiles, because the application code is using obsoleted constructs. But an upgrade to Debian Stable is not possible with the current PHP code base, due to its dependency on an obsolete mySQL database interface layer, which is not supported anymore in the PHP version bundled with Debian Stretch, the current Debian Stable.

Without the ability to upgrade the application platform to a well-maintained version of Debian, the Critical System Administrator Team will be unable to take responsibility in the near future for the safe and correct operation of CAcert's main server, the web application and database server. (da)

Access Team

As all access team members were limited due to corona-restricions a new member (without selfstanding access) was added to the team temporary, so necessary maintenance-tasks and replacement of the signer machine was possible in May. (da)



Currently the events team is quite small, any help to help the events-team is appreciated. (da)


A new (refurbished) server was offered in 2020 by The server has been moved to the datacenter in EDE and is now running as infra03.

Infra03 provides the new service for internal document sharing. A MariaDB and PostgreSQL instance have been setup on infra03. MariaDB is used as backend database for nextcloud and the PostgreSQL instance is planned for an ORY Hydra based OAuth2/OIDC authentication service.

The plan to implement a mutual backup of infra02 and infra03 is still work in progress.

Several virtual infrastructure servers had been update to more recent software and added to Puppet.

Attempts to get more people on board in the infrastructure team failed, due to missing interactions. Operations of most systems run smoothly due to a high grade of automation and well established monitoring. (jd)

New Root & Escrow Project (NRE)

Organisation Assurance Team

Policy Group

Policy Group mainly discussed and agreed to the amendment of the policies in connection with the amendment of the Articles of Association. It was about editorial change (removing the mention of the place or country where CAcert Inc has the registered office) in the following policies: CCA, RDL, Privacy Policy, CPS, CP, DRP. (Ru/21)


Software Development Team

There are some changes in the queue currently to add a serial number to the CRL and to reduce the size of the CRL.

But ... the number of Software-team-members is quite low, we're in urgent need of ABCed software-assessors. (da)

A serious issue with non western character sets has been discovered (after the end of financial year 20/21) and analyzed after a endless loop of the signer. Characters outside of the ISO-8859-1 cannot be handled by the PHP code, the MySQL database and the signer software parts. A full rewrite to support UTF-8/Unicode in all parts of the code that touches any text that could end up in certificates is required to make the software usable for anybody that has a non ISO-8859-1 name. There is a patch available to at least mitigate the signer crash. Unfortunately the patch is missing reviews and has not been applied to the production system yet.

There have been attempts to allow a modern way to create client certificate requests in current browsers using client side JavaScript libraries for key and CSR generation. The implementation need a few changes to the existing CAcert PHP software to allow the submission of the signing requests. They will also require proper UTF-8 support and though or will break for anybody with non ISO-8859-1 characters in the name too.

Progress on other patches like the PHP 7 compatibility fixes has stalled due to missing reviews/testing.

A suggested reimplementation of the CAcert software will only make sense if we find enough people who will do reviews/QA/documentation/test automation. (jd)

Support Team

Triage is doing it's work very well, sometimes they add a note to incoming tickets, so support team members can use this as an answer to the member. (da)

Translation / Localisation

CATS is now available in Czech. A French translation is waiting for review (for several months now).

Finance Team

secure-u e.V.