## 20210712 AK
----
[[FAQ/NewRoots/CZ|česky]] | '''english'''
----
= New and archived (obsoleted) CAcert Roots =
=== New Root Certificates ===
{{{{#!wiki caution
Because they are nowadays actively '''disabled''' by operating systems and applications, older '''MD5 signed''' certificates are not of any help to access a website with HTTPS. As a rule of thumb, this is generally by now a poor idea to download and install '''any''' certificate with "MD5" labelled on it. Deprecation of MD5 algorithm for PKI purposes started in 2011; since the end of 2016, MD5 cannot be used at all for X.509 operations.
In order to address this challenge, CAcert re-signed its '''Root CA''' and '''Class 3 Root''' certificates, with the modern and secure SHA256 hash function. CAcert's Root SHA256-signed certificates remained otherwise '''unchanged''' (same keys, same validity period), exceptions being an updated serial number and the new signature. They are fully '''compatible''' with all certificates issued by CAcert '''previously'''.
{{{#!Wiki note
||<#80FEDC> 20190410: the SHA256 signed root certificates, both Class 1 and Class 3, were placed to the CAcert operating server (http://www.cacert.org/index.php?id=3). Their filenames for download are: root_X0F (Class 1 root) and class3_X0E (intermediate Class 3 root). The hex. number following "X" is the unique serial number of the certificate, thus 00000F and 00000E, respectively. CAcert users are advised to substitute both older certificates (with serial numbers 000000 and 0A418A) with these new ones.||
||<#0000FF> 20210710: the SHA256 signed root certificate Class 3 (files Class3_x14E228.crt / .der / .txt) were placed to the CAcert operating server (http://www.cacert.org/index.php?id=3). because the former intermediate Class 3 certificate (Class3_X0E) expired 20210520. Hexadecimal number after the 'x' letter is the unique serial number of the certificate, thus 14E228. CAcert users are advised to substitute the older Class 3 certificate (with serial number 00000E) with this new one.||
}}}
This page also gives here below access to "refreshed" SHA256-signed Class 1 root certificate (#00000F), which replaces the old Class 1 root certificate MD5-signed (#000000). Please use the "refreshed" SHA256-signed Class 1 root certificate definitely since 2018-01-01. This page also offers access to the new intermediate Class 3 root certificate (#14E228) replacing the old intermediate Class 3 root (#00000E). You can find an explanation and the procedure [[HowTo/ReplaceCAcertRootCertificate|here]].
}}}}
* Want to smoothly '''replace''' the expired Class 3 root certificate by the renewed SHA256 signed one ? The '''procedure is [[HowTo/ReplaceCAcertRootCertificate|here]]'''.
* Want to smoothly '''replace''' an obsolete MD5 signed certificate by an up-to-date SHA256 signed one ? The '''procedure is [[HowTo/ReplaceCAcertRootCertificate|here]]'''.
* How can I import the root certificate? See [[FAQ/ImportRootCert|Import Root Cert]], [[FAQ/BrowserClients|Browser Clients]], and [[FAQ/eMailClients|e-Mail Clients]]
* '''SHA256 CAcert root''' signed using the SHA256 algorithm: [[attachment:root_X0F.cer|for Windows - PEM format]], [[attachment:root_X0F.crt|for OS.X, iOS and Linux - PEM format]], [[attachment:root_X0F.der|binary - DER format]]
* Class 1 root, signing algorithm SHA256, serial number 00000F
* fingerprint SHA1 = dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5<
>''Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!''
* '''SHA256 CAcert Intermediate''' root signed using the SHA256 algorithm: [[attachment:class3_X14E228.cer|for Windows]], [[attachment:class3_X14E228.crt|for OS.X, iOS, and Linux - PEM format]], [[attachment:class3_X14E228.der|binary - DER format]]
* Class 3 root, signing algorithm SHA256, serial number 14E228
* fingerprint SHA1 = D8:A8:3A:64:11:7F:FD:21:94:FE:E1:98:3D:D2:5C:7B:32:A8:FF:C8 <
>''Note: Prior you install the SHA256 signed CAcert Class 3 Intermediate certificate (#14E228), don't forget to delete the CAcert Class 3 Intermediate root certificate (serial #00000E).''
* '''SHA256 CAcert Roots in one package''', valid at 15.05.2021: [[attachment:CAcert_chain_X0F_X14E228.pem]], contains roots:
* Class 1 Root, signing algorithm SHA256, serial number 00000F
* fingerprint SHA1 = DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5<
>''Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!''
* Class 3 Root, signing algorithm SHA256, serial number 14E228
* fingerprint SHA1 = D8:A8:3A:64:11:7F:FD:21:94:FE:E1:98:3D:D2:5C:7B:32:A8:FF:C8 <
>''Note: Prior you install the SHA256 signed CAcert Class 3 root certificate (#14E228), don't forget to delete the CAcert Class 3 Intermediate root certificate (#00000E).''
## * SHA256 CAcert Roots in one package, valid at 11.11.2016: [[attachment:CAcert_chain_X0F_X0E.pem]], contains roots:
## * Class 1 Root, signing algorithm SHA256, serial number 00000F
## * fingerprint SHA1 = DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5<
>''Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!''
## * Class 3 Root, signing algorithm SHA256, serial number 0A418A
## * fingerprint SHA1 = AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
## * /!\ ''obsolete:'' /!\ CAcert Roots in one package, valid at September 04, 2015: [[attachment:CAcert_chain.pem]], contains roots:
## * Class 1 Root, signing algorithm [[FAQ/Class3Resign#Q:_Why_can_the_root_CAcert_certificate_(class_1)_still_be_signed_using_the_MD5_algorithm?|MD-5]], serial number 000000; '''disabled by main browsers and operating systems since 20170101'''
## * fingerprint SHA1 = 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
## * Class 3 Root, signing algorithm SHA256, serial number 0A418A
## * fingerprint SHA1 = AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
* '''Where can I find the root certificate in a format that is suitable to append it to /usr/share/ssl/certs/ca-bundle.crt?'''
* '''SHA256''' [[attachment:cacert-bundle_X0F_X14E228.crt]] - Class 1 (#00000F) and Class 3 (#14E228), both SHA256 signed<
>''Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)! Note: Prior you install the SHA256 signed CAcert Class 3 root certificate (#14E228), don't forget to delete the CAcert Class 3 Intermediate root certificate (#00000E).''
## * /!\ ''obsolete:'' /!\ [[attachment:cacert-bundle.crt]] - Class 1 (#000000, MD-5 signed) and Class 3 (#0A418A, SHA256 signed) certificates; '''disabled by main browsers and operating systems since 20170101'''
## * SHA256 [[attachment:cacert-bundle_X0F_X0E.crt]] - Class 1 (#00000F) and Class 3 (#0A418A) certificates, both SHA256 signed<
>''Important note: After you have installed the SHA256 signed CAcert root certificate (#00000F), don't forget to delete the MD-5 signed CAcert root certificate (#000000)!''
## * /!\ ''obsolete:'' /!\ [[attachment:cacert-boundle.crt]] - Class 1 (#000000) and Class 3 (#000001) certificates, both MD-5 signed); '''disabled by main browsers and operating systems since 20170101'''
* '''SHA256 Installable package for Windows''' - [[attachment:CAcert_Root_Certificates_2021.msi]] - Class 1 (#00000F) and Class 3 (#14E228) certificates, both SHA256 signed - [[HowTo/ReplaceCAcertRootCertificate#The_procedure,_if_roots_were_installed_by_the_MSI_package_for_MS_Windows|procedure]]
## * SHA256 Installable package for Windows - [[attachment:CAcert_Root_Certificates_X0F_X0E.msi]] - Class 1 (#00000F) and Class 3 (#00000E) certificates, both SHA256 signed - [[HowTo/ReplaceCAcertRootCertificate#The_procedure,_if_roots_were_installed_by_the_MSI_package_for_MS_Windows|procedure]]
## * SHA256 [[attachment:CAcert_Root_Certificates_256.msi]] - Class 1 (#00000F) and Class 3 (#0A418A) certificates, both SHA256 signed - Installable package for Windows - [[HowTo/ReplaceCAcertRootCertificate]]
== New CAcert roots prepared for Android systems ==
* 5ed36f99.0 [[attachment:5ed36f99.0]] - Class 1 Root (#00000F) SHA256 signed
* its MD-5 hash [[attachment:5ed36f99.md5]]: 6ecc343c22ba3ba6ef817f0d8bd744e1
* its SHA1 hash [[attachment:5ed36f99.sha1]]: 8d9ca4e340ecf56911296b3c48b3a4969515b268
* its SHA256 hash [[attachment:5ed36f99.sha256]]: a04100c5026e41cf6d79a4653495258afc02f1819d742a3f8af848e052036196
* e5662767.0 [[attachment:e5662767.0]] - Class 3 Root (#14E228) SHA256 signed
* its MD-5 hash [[attachment:e5662767.md5]]: ec9756d27ec59a6c8525ec92b0eacabb
* its SHA1 hash [[attachment:e5662767.sha1]]: 32478474740013ce5d4dfe31eb12d14598786d15
* its SHA256 hash [[attachment:e5662767.sha256]]: a8715704acf0bd1531e7ca11e98df8af45ce421f09cad2cddc70edabe2bd9520
----
. [[CategoryFAQ]]