česky | deutsch | english | español | français | nederlands

CAcert Assurer Challenge

Have you passed the Assurer Challenge yet?

The Assurer Challenge is now open!

Read below to find out how to pass!

Introduction to the Assurer Challenge

To meet the increased demands on quality assurance due to the CAcert Systems Audit, which is needed to be included in Mozilla's browsers, CAcert has decided to initiate a Challenge for all Assurers.

Assurer Requirements

In addition to new Assurers, all existing assurers have to pass the Assurer Challenge in order to keep their status.

  1. Get a client certificate (see below)
  2. Then go to Assurer Challenge

If you don't have an appropriate certificate you won't get to the challenge page, as your browser will say it was "unable to negotiate an acceptable set of security parameters".

The goal of the test is to give Assurers some basic knowledge about the process of assurance, technical aspects of certificates, as well as some information about CAcert itself and computer security in general.

How to Approach the Assurer Challenge

There are different ways to tackle the test. The preferred one is to have a thorough look at the AssuranceHandbook2, and maybe Assurer Training (english, PDF Version). Those documents should contain enough information to pass the test. Also note that our new Assurance Policy is the guide for the Handbook and all other Assurance practice; it's worth a quick skim.

Nevertheless you should not expect to pass the test on your first attempt (indeed, it is designed to be hard to pass at the first attempt). There are some unusual questions and answers included, and the questions and answers are the subject of continual quality improvement. When you have reached the end of your attempt, the test will debrief you with all the questions answered -- correctly and incorrectly. This is your chance to prepare for another attempt.

You can try the Assurer Challenge as often as you like, even after having passed, and you can make a new try immediately after you got the result of the last one. Some people even like to retry until they get perfect scores!

If you have suggestions for improvement, or if you don't understand the answer to a question send a mail to cacert-education@lists.cacert.org , just to see if we indeed made a mistake or if we can give you an explanation.

Accessing the test --> Get a Client Certificate

Have you passed the Assurer Challenge yet?

The Assurer Challenge uses your CAcert client certificate!

Certificates are part of the challenge!

To access the test page you will need a valid client certificate signed by CAcert. If you don't know how to handle client certificates you should start with the ClientCerts page of this wiki. Setting up a client certificate in your browser is considered part of the test about technical aspects. ;)

Once you have installed the client certificate you can log in to CATS by clicking Login (top right). At the first login the details of your client certificate are shown for verification (top right). You can click on Info (top right) to see more details within the client certificate.

Note: If you want a printed or PDF Certificate for passing the test please remember to use a digital client certificate that includes your name, since the name in the printed/PDF Certificates will be taken from the digital client certificate you use to login to CATS.

Go for it

Have you passed the Assurer Challenge yet?

Try the Assurer Challenge now!

Quick pre-conditions: (a) check out the Handbook, (b) install your cert (c) spend 5 minutes!

If you feel confident, and you have your client certificate installed in your browser, just give it a try at https://cats.cacert.org/

Certificate Troubles

e.g. Safari, possibly Chrome, ...

Safari, and possibly Chrome, has an implementation quirk that doesn't ask your permission to use your installed certificate on the default URL. Please try https://cats.cacert.org/requirecert instead.

Class3 vs Class1 Certificates

A bug in CATS preventing login with some Class 3 certificates has been fixed, so both types of certificates can be used for login.

Other languages

A german version of the Challenge is available, dutch translation has been started but still needs a bit of work.

If you want to help translating the Challenge into your preferred language please ask at the education mailing list.

Doing the Assurer Challenge

Once you are successfully logged in, you can either start a test or have a look at your learning progress.

  1. Click on the Tests button (upper left).

  2. select the kind of test on the right hand side. Currently there is only the English version available, but others are coming.
  3. Click start test to open the questionnaire.

Note to Firefox Users: If you cannot find the Tests button then increase the width of your browser window. Firefox only shows all of the buttons if there is enough room.

There are three different kind of questions.

If you think you have answered all questions you should press "evaluate test" at the bottom of the questionnaire.

Transfer of results to main site

If you pass the test, the results will be sent to the main site. If you fulfill all other requirements (that is, your have already collected 100 Assurance Points) your account is automatically marked as an Assurer account, but this may need a bit of time.

Please wait at least 10 minutes after completing the test before asking for help.

Certificate of Achievement

CAcert offers to send you a signed document once you are a full Assurer, that is, you have passed the Challenge and have collected at least 100 Assurance Points. This document provides evidence that you are an Assurer, and it may help you with employment possibilities in the IT or security area. Or it may just look nice at your office wall.

You can ask for an electronic document (a PDF file) or a paper document (mailed).

Both kinds of documents are handled manually, so please be patient. Give us a week or two before nagging us.

Electronic (PDF) Document

The Electronic Document is in PDF form, and contains a digital signature by the CAcert representative authorised to sign education certificates (EducationOfficer). This digital signature can be verified by someone who holds the digital copy of the PDF, or you can print it out yourself.

Electronic Documents are free, but they have to be manually processed, so you might have to wait a week till you receive it.

Paper Document

Although a self-printed document is nice, a personally-signed piece of high quality paper is even better.

Unfortunately there are costs involved in handling such a document (for paper, ink and, most of all, postage). If you want a Paper Document we ask you for a donation of about 5 EUR for mailing expenses.

See http://www.cacert.org/index.php?id=13 on how to donate, or use the Donate button after passing the test.

How to request your document

To request a printed/PDF documents, send a S/MIME-signed mail to education@cacert.org . The signature has to be created by the same certificate you used to log in (so we can match the serial number with the number stored within CATS).

If you cannot use the certificate for S/MIME signing you may also include the certificate file into your mail. You can download the certificate file from your CAcert account using the following procedure:

Login to your CAcert account->Client Certificates->View->Click the mail adress of the Certificate->Save Link Target of the "Click here"-Link. Don't just click it, because then your browser probably tries to install the certificate, which will fail because it probably already is installed.

If you want a printed Certificate the email has to include your postal address.

The reasons for this procedure are security and privacy, as further explained below in the Technical Desiderata. This procedure is once more explained in a page which can be displayed after you did pass a test.


Q: I have more than one client certificate. How can I decide with which client certificate to use to login?

A: you should pick one and stick to it because CATS uses that certificate (its serial number) to maintain your history of testing.

The certificate for login is generally chosen by the browser, based on information from the server which CAs are accepted. If you have more than one acceptable certificate installed, most browsers are configured by default to "automatically" select a certificate to present to the server. And believe me, most time it's the wrong one! ;)

With more than one certificate installed, especially if they are issued by the same CA with different content (e.g., name included or not) you should configure your browser to ask which certificate it should present.







Extras -> Einstellungen -> Verschlüsselung -> Zertifikate

"Jedes Mal fragen"


English MacOSX

Preferences -> Advanced -> Encryption

"Ask me every time"


Spanish GNU/Linux

Editar-> Preferencias-> Avanzado-> Cifrado

"Preguntar siempre"



also has this setting somewhere in its setup...


If this setting is active you'll have to chose the certificate you want to present each time the server asks (which can be annoyingly often).

Q: Why can't I just enter my name?

A: Because we need proof that you are a CAcert member, which can easily be provided by a CAcert certificate.

Q: I can't see the buttons you are talking about.

A: On Firefox, enlarge your window. It hides buttons if there is not enough room.

Technical Desiderata

Q: What's the technical story?

A: The Assurer Challenge is hosted on the new CATS (CAcert Automated Testing System) server. The PHP system is written and managed by the EducationCampus.

Q: Why is it a separate system? Why not in the main system?

A: It is bad security practice to pump as much stuff into the main critical systems. By putting the the CATS system outside, we ease the load of maintaining, securing and auditing the main critical systems.

Q: What data can be compromised?

A: The only necessary information held within the CATS server is the certificate serial number, which by the nature of (public key) certificates is public information.

Q: Does that mean CATS is less secure than the main system?

A: Since only the certificate serial number stored on the server, it means that CATS can be designated as a non-critical system. By declaring CATS as non-critical our load in securing and managing it is much lower.

Q: What about my name?

A: If you want a (PDF or paper) document of achievement, then we need the certificate you used to login to the Challenge. One easy way to transmit the cert is to send us a mail signed by it. We'll take the name for the document from the certificate.

Q: What about my address?

If you want a paper certificate as proof, then your address will be collected for that mailing only. For security, this is currently managed outside CATS by the EducationOfficer.

Q: Assurer challenge login fails. What can I do?

A: There are occasional complaints that certificates signed by the Class 3 root have problems logging in to CATS. We still cannot say what causes this problem, so if you want to be on the safe side you should use a Class 1 certificate.

Q: Where on the website I can find my assurers state?

A: There are two methods that signals you about your assurers state:

  1. Right handed menu
    • + CAcert Web of Trust
    • ..
    • Assure Someone <===== addtl. menu option if you are an assurer (otherwise hint for assurer challenge)

  2. Right handed menu
    • + My Details
    • - My Points
    • then the link on the top "new calculation" (this links to https://secure.cacert.org/wot.php?id=15)

    • In the 2nd table "Summary of your Points", Last row in column "Remark" gives a hint that the assurer state has been enabled and how many assurance points you can issue as an assurer. Otherwise this field indicates which setting didn't fulfill the to be an assurer requirements
      • State: Is Assurer

        * "You may issue up to # points"
          This is the text you can read if you have reached the assurer state
          state assurer: reached
      • State: Is Not an Assurer

        * "Points on hold due to less assurance points"
          this means, you have passed CATS test, and have old Thawte points
          that will be removed in the Thawte Points Removal procedure 
          (in the near future) but did not yet re-earned enough assurance points
          state assurer:  not yet, one requirement missing
        * "You have to pass the CAcert Assurer Challenge (CATS-Test) to be an Assurer"
          you have received the 100 assurance points requirement to be an assurer
          but didn't yet passed the CATS test
          state assurer:  not yet, CATS test not passed yet
        * "You need # assurance points and the passed CATS-Test to be an Assurer"
          at least the assurance points level requirement isn't yet fulfilled
          to be an assurer:
          assurer state: not yet, at least missing assurance points

AssurerChallenge (last edited 2015-08-15 11:14:45 by AlesKastner)