• FAQ

• česky | deutsch | english | français | italiano | nederlands | 中文|| English home page

Frequently Asked Questions (FAQ)

CAcert: what, why, how

• CAcert - About us

• You and CAcert

• What does all this make sense?

• Common questions

• More about CAcert

• How can YOU help CAcert?

Account

• Problems and Questions about the CAcert Registration Process

• How To Enter Names In Join Form (create an account)

• How to manage the Certificate Login

• How can I recover my lost Password or Account Name?

• How To Terminate and How can I remove my CAcert Account?

• How can I generate a safe password?

• How To Change Your Name in your account

• How To Change Your Date of Birth in your account

Arbitration, Audit, Policies

• Member's FAQ on Arbitration

• Arbitration Forum

• Internal Audit

• Policies & FAQ on Policies

• Understanding the User Privacy Policy valid in EU & EEA

Assurance

• Assurance Introduction and Assurance Program

• Assurance Details: How can I get CAcert Assurance Points (APs) ?

• Assurer Training Events

• Risks, Liabilities, Obligations and R/L/O Details

• Assurance Handbook (Individuals)

• Organisation Assurance Manual

• Assurer Challenge Test

• I seem to have lost my Assurer status

• How many points do I need to do ... (Privileges)

• Assurance by CAP (Individual Assurance)

• Assurance Information For CAP

• Assurance Prefilled Forms

• New TTP-assisted-assurance program

  • (obsolete: Assurance by TTP-assisted-assurance, Assurance Information For TTP, and TTP Availability)

• Assuring People

• Assurance with Password Recovery

• Assuring Organisations

• Admin Left the Company (Org Assurance)

• Thawte points to be revoked - New points counting (Thawte patch)

Certificates

• Certificates overview

• Suggested Key Sizes for the future

• Weak Keys System check

• Certification Practise Statement (CPS)

• Types of certificate validation

• Certificate icons used by Windows and file suffixes

• Domain Owner

• How The Ping Test Works

• Certificate chain and its construction algorithm checking whether it is trusted

• CAcert Roots - contents and structure

New Root Certificates

• Want to smoothly replace an obsolete MD5 signed certificate by an up-to-date SHA256 signed one ? The procedure is here.

• How can I import the root certificate? See Import Root Cert, Browser Clients, and e-Mail Clients

• SHA256 CAcert root signed using the SHA256 algorithm: for Windows - PEM format, for OS.X, iOS and Linux - PEM format, binary - DER format

  • Class 1 root, signing algorithm SHA256, serial number 00000F

    • fingerprint SHA1 = ‎dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5
      Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!

• SHA256 CAcert Intermediate root signed using the SHA256 algorithm: for Windows, for OS.X, iOS, and Linux - PEM format, binary - DER format

  • Class 3 root, signing algorithm SHA256, serial number 00000E

    • fingerprint SHA1 = ‎A7:C4:8F:BE:6B:02:6D:BD:0E:C1:B4:65:B8:8D:D8:13:EE:1D:EF:A0
      Note: After you have installed the SHA256 signed CAcert root certificate (#00000E), don't forget to delete the CAcert Class 3 Intermediate root certificate (serial #0A418A).

• SHA256 CAcert Roots in one package, valid at 01.12.2018: CAcert_chain_X0F_X0E.pem, contains roots:

  • Class 1 Root, signing algorithm SHA256, serial number 00000F

    • fingerprint SHA1 = ‎DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5
      Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!

  • Class 3 Root, signing algorithm SHA256, serial number 00000E

    • fingerprint SHA1 = ‎A7:C4:8F:BE:6B:02:6D:BD:0E:C1:B4:65:B8:8D:D8:13:EE:1D:EF:A0
      Note: After you have installed the SHA256 signed CAcert Class 3 root certificate (#00000E), don't forget to delete the CAcert Class 3 Intermediate root certificate (#0A418A).

• obsolete: CAcert Roots in one package, valid at September 04, 2015: CAcert_chain.pem, contains roots:

  • Class 1 Root, signing algorithm MD-5, serial number 000000; disabled by main browsers and operating systems since 20170101

    • fingerprint SHA1 = 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

  • Class 3 Root, signing algorithm SHA256, serial number 0A418A

    • fingerprint SHA1 = AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE

• Where can I find the root certificate in a format that is suitable to append it to /usr/share/ssl/certs/ca-bundle.crt?

  • SHA256 cacert-bundle_X0F_X0E.crt - Class 1 (#00000F) and Class 3 (#00000E), both SHA256 signed
    Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)! Note: After you have installed the SHA256 signed CAcert Class 3 root certificate (#00000E), don't forget to delete the CAcert Class 3 Intermediate root certificate (#0A418A).

• obsolete: cacert-boundle.crt - Class 1 (#000000) and Class 3 (#000001) certificates, both MD-5 signed); disabled by main browsers and operating systems since 20170101

• SHA256 Installable package for Windows - CAcert_Root_Certificates_X0F_X0E.msi - Class 1 (#00000F) and Class 3 (#00000E) certificates, both SHA256 signed - procedure

• What is a CSR ? and Generating a Certificate Request

• Where can I find out more info about Class 3 and chained certificates ? see FAQ/TechnicalQuestions

• New Class3 subroot re-signed questions

• Client Certificates

• Client Certificates and Single Sign-On (SSO)

• PDF document signing and time-stamping in Adobe Reader

• Email Certificates and e-Mail Clients Overview

• Server Certificates

• Code Signing Certificates

• Document signing certificates (status at 20180101):

  • You can sign MS Word (DOC[X]) and OpenOffice (ODT) documents only with the code signing enabled client certificate.

  • You can sign Adobe Reader (PDF) and LibreOffice (ODT) documents with any client certificate.

• Getting your PGP key signed by CAcert

• Cryptographic hardware Help and Howtos

• TLS/SSL scanners

• Task force looking into Domain Controller requirements

Certificate related problems

• Why browsers report the CAcert.org website as improperly configured

• Problem with receiving PING email

  • You are continually receiving an error message:
    • Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

  • Please read also the 1st wiki note "Small branch from the topic" in this article.

• I cannot import a .p12 file, exported by Firefox, into Windows

• Browsers report untrusted CAcert root certificate due to an old signing algorithm

  • Examples:

    • Firefox error:Your connection is not secure; Advanced: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

    • Google Chrome error: The site's security certificate is not trusted!

  • Replace the old root with the new one, which is published on this page as SHA256!

• A browser cannot create a client certificate

• I cannot renew my certificate - How to renew an expired certificate for Windows using Linux, and how to do it using Firefox (Problem #3)

• You don't have a Domain name but still want a Server Cert?

• Missing Private Key

• How a Newbie gets his/her first own Client Certificate

Others

• Donations Guideline

• Merchandising

• Looking for an official and an unofficial Assurer Logos

• Getting Support and Help!

• BOINC

• Risk

• Significant Technical Standards for CAcert.org

• Unicode for CAcert

  • Unicode UTF-8 example-test

• Tutorials and Support & Documents

• Translations

• Decision Numbers (e.g. what m20070825.3 means)

• CAcert servers' IPv6 support (at the date 20160418)

• Glossary & Abbreviations (1), Glossary & Abbreviations (2), and Glossary & Abbreviations (Validation)

• CategoryFAQ