TableOfContents

Technical FAQ

Getting Certs or Signatures

Network and Server Problems

Misc

What is the difference between Class 1 and Class 3 Certificates

Class 1 is the 'normal' certificate

Class 3 seems to be a chained certificate (including the root cert?) to make it more usable for browsers.

How to get certs for local development without full qualified domain name?

Question: I need certificates for my machine for local development. The machine doesn\'t have a full qualified domain name. How do I get a certificate that my web server will accept?

Answer: This is a tough question, although a lot of people have internal LAN webservers with real domain/hostnames, you only need to validate a domain or sub-domain, and then you can issue certificates for any hostnames using the domains/sub-domains as part of the hostname.

If you don't have a domain/sub-domain, there are plenty of free dynamic DNS services you can make use of as well.

Why a CAcert-signed certificate better than a self-signed?

Even though we're not included by default in main stream browsers a number of linux distributions are already including us in their builds of Mozilla and other browsers/email clients.

If you had 100 websites configured with 100 self-signed certificates you would need to import all of them into your browser, where as using a CA issued model of root cert -> server certs (regardless if you use our site or do your own thing) will only require you to import 1 certificate to have those 100 sites all trusted as well by your browser. This isn't taking into account all the earlier adopters that have also imported our root cert on their computers and entire office networks via active directory, there are supposed to be a couple of 20,000+ seat networks being setup to use CAcert certs internally instead of running their own internal CA.

Finally self-signed provides no 3rd party verification, so you can easily issue a self signed certificate for "Microsoft.com" but unless you have access to RFC style email addresses our system wouldn't allow you to do that.

So while on the surface the browser will nag either way there is actually some benefits by having as many people as possible importing the root cert as well, since the more people that have it installed, the more useful it becomes and around and around we go.

How can I export/ backup the certificate authority root certs from Mozilla?

You can't.

The current Mozilla backup function is for your own certs - the one for which you have a key, in PKCS#12 format. You don't have the key to the root certs by definition, so you can't back them up to PKCS#12. Some root certs may be included in your PKCS#12 file if you back up one of your own certs, as the entire cert chain will be backed up.

To back up third party certs such as root certs, there would need to be a PKCS#7 backup function.

(From: netscape.public.mozilla.crypto - Julien Pierre)

What do I need to get a code-signing cert?

For code signing you need to have at least 100 points, and CAcert has to have a (scanned) copy of your photo ID. Then you have to send an email to support #at# cacert.org to ask to activate Code-Signing for your account.