Frequently Asked Questions (FAQ)

CAcert: what, why, how


Arbitration, Audit, Policies



New Root Certificates

Because they are nowadays actively disabled by operating systems and applications, older MD5 signed certificates are not of any help to access a website with HTTPS. As a rule of thumb, this is generally by now a poor idea to download and install any certificate with "MD5" labelled on it. Deprecation of MD5 algorithm for PKI purposes started in 2011; since the end of 2016, MD5 cannot be used at all for X.509 operations.

In order to address this challenge, CAcert re-signed its Root CA and Class 3 Root certificates, with the modern and secure SHA256 hash function. CAcert's Root SHA256-signed certificates remained otherwise unchanged (same keys, same validity period), exceptions being an updated serial number and the new signature. They are fully compatible with all certificates issued by CAcert previously.

The page gives here below access to both "refreshed" SHA256-signed and "legacy" MD5-signed Root certificates. Please, consider not making use any more of the later in any production-like environment.


FAQ (last edited 2019-04-17 18:58:26 by AlesKastner)