česky | deutsch | english | français | italiano | nederlands | 中文|| English home page

Frequently Asked Questions (FAQ)

Contents

Frequently Asked Questions (FAQ)

CAcert: what, why, how

Account

Arbitration, Audit, Policies

Assurance

Assurance Introduction and Assurance Program
Assurance Details: How can I get CAcert Assurance Points (APs) ?
Assurer Training Events
Risks, Liabilities, Obligations and R/L/O Details
Assurance Handbook (Individuals)
Organisation Assurance Manual
Assurer Challenge Test
I seem to have lost my Assurer status
How many points do I need to do ... (Privileges)
Assurance by CAP (Individual Assurance)
Assurance Information For CAP
Assurance Prefilled Forms
New TTP-assisted-assurance program
- (obsolete: Assurance by TTP-assisted-assurance, Assurance Information For TTP, and TTP Availability)
Assuring People
Assurance with Password Recovery
Assuring Organisations
Admin Left the Company (Org Assurance)
Thawte points to be revoked - New points counting (Thawte patch)

Certificates

Certificates overview
Suggested Key Sizes for the future
Weak Keys System check
Certification Practise Statement (CPS)
Types of certificate validation
Certificate icons used by Windows and file suffixes
Domain Owner
How The Ping Test Works
Certificate chain and its construction algorithm checking whether it is trusted
CAcert Roots - contents and structure
Add a new e-mail address to my cacart account in the web interface

New Root Certificates

Because they are nowadays actively disabled by operating systems and applications, older MD5 signed certificates are not of any help to access a website with HTTPS. As a rule of thumb, this is generally by now a poor idea to download and install any certificate with "MD5" labelled on it. Deprecation of MD5 algorithm for PKI purposes started in 2011; since the end of 2016, MD5 cannot be used at all for X.509 operations.

In order to address this challenge, CAcert re-signed its Root CA and Class 3 Root certificates, with the modern and secure SHA256 hash function. CAcert's Root SHA256-signed certificates remained otherwise unchanged (same keys, same validity period), exceptions being an updated serial number and the new signature. They are fully compatible with all certificates issued by CAcert previously.

The page gives here below access to both "refreshed" SHA256-signed and "legacy" MD5-signed Root certificates. Please, consider not making use any more of the later in any production-like environment.

Want to smoothly replace an obsolete MD5 signed certificate by an up-to-date SHA256 signed one ? The procedure is here.
How can I import the root certificate? See Import Root Cert, Browser Clients, and e-Mail Clients
SHA256 CAcert root signed using the SHA256 algorithm: for Windows - PEM format, for OS.X, iOS and Linux - PEM format, binary - DER format
- Class 1 root, signing algorithm SHA256, serial number 00000F
  - fingerprint SHA1 = ‎dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5
    Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!
SHA256 CAcert Intermediate root signed using the SHA256 algorithm: for Windows, for OS.X, iOS, and Linux - PEM format, binary - DER format
- Class 3 root, signing algorithm SHA256, serial number 00000E
  - fingerprint SHA1 = ‎A7:C4:8F:BE:6B:02:6D:BD:0E:C1:B4:65:B8:8D:D8:13:EE:1D:EF:A0
    Note: After you have installed the SHA256 signed CAcert root certificate (#00000E), don't forget to delete the CAcert Class 3 Intermediate root certificate (serial #0A418A).
SHA256 CAcert Roots in one package, valid at 01.12.2018: CAcert_chain_X0F_X0E.pem, contains roots:
- Class 1 Root, signing algorithm SHA256, serial number 00000F
  - fingerprint SHA1 = ‎DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5
    Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!
- Class 3 Root, signing algorithm SHA256, serial number 00000E
  - fingerprint SHA1 = ‎A7:C4:8F:BE:6B:02:6D:BD:0E:C1:B4:65:B8:8D:D8:13:EE:1D:EF:A0
    Note: After you have installed the SHA256 signed CAcert Class 3 root certificate (#00000E), don't forget to delete the CAcert Class 3 Intermediate root certificate (#0A418A).

$/!\$ obsolete: $/!\$ CAcert Roots in one package, valid at September 04, 2015: CAcert_chain.pem, contains roots:
- Class 1 Root, signing algorithm MD-5, serial number 000000; disabled by main browsers and operating systems since 20170101
  - fingerprint SHA1 = 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
- Class 3 Root, signing algorithm SHA256, serial number 0A418A
  - fingerprint SHA1 = AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Where can I find the root certificate in a format that is suitable to append it to /usr/share/ssl/certs/ca-bundle.crt?
- SHA256 cacert-bundle_X0F_X0E.crt - Class 1 (#00000F) and Class 3 (#00000E), both SHA256 signed
  Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)! Note: After you have installed the SHA256 signed CAcert Class 3 root certificate (#00000E), don't forget to delete the CAcert Class 3 Intermediate root certificate (#0A418A).

$/!\$ obsolete: $/!\$ cacert-boundle.crt - Class 1 (#000000) and Class 3 (#000001) certificates, both MD-5 signed); disabled by main browsers and operating systems since 20170101

SHA256 Installable package for Windows - CAcert_Root_Certificates_X0F_X0E.msi - Class 1 (#00000F) and Class 3 (#00000E) certificates, both SHA256 signed - procedure