TableOfContents

Technical FAQ

Getting Certs or Signatures

Client, Server, and Network - Problems and Configuration

Misc

What is the difference between Class 1 and Class 3 Certificates

The class 3 root certificate is the high-security subset of the CAcert class 1 root certificate.

Class 1 is the 'normal' and older root certificate of CAcert. It inculdes both, low security and high security certificates. As it might not be possible to get the class 1 certificate included into some browsers or distributions (see InclusionStatus), the Class 3 certifiacate was introduced. The Class 3 root certificate includes only high security certificates and is a subset of the Class 1 certificate.

Why a CAcert-signed certificate better than a self-signed?

Even though we're not included by default in main stream browsers a number of linux distributions are already including us in their builds of Mozilla and other browsers/email clients.

If you had 100 websites configured with 100 self-signed certificates you would need to import all of them into your browser, where as using a CA issued model of root cert -> server certs (regardless if you use our site or do your own thing) will only require you to import 1 certificate to have those 100 sites all trusted as well by your browser. This isn't taking into account all the earlier adopters that have also imported our root cert on their computers and entire office networks via active directory, there are supposed to be a couple of 20,000+ seat networks being setup to use CAcert certs internally instead of running their own internal CA.

Finally self-signed provides no 3rd party verification, so you can easily issue a self signed certificate for "Microsoft.com" but unless you have access to RFC style email addresses our system wouldn't allow you to do that.

So while on the surface the browser will nag either way there is actually some benefits by having as many people as possible importing the root cert as well, since the more people that have it installed, the more useful it becomes and around and around we go.

How can I export/ backup the certificate authority root certs from Mozilla?

You can't.

The current Mozilla backup function is for your own certs - the one for which you have a key, in PKCS#12 format. You don't have the key to the root certs by definition, so you can't back them up to PKCS#12. Some root certs may be included in your PKCS#12 file if you back up one of your own certs, as the entire cert chain will be backed up.

To back up third party certs such as root certs, there would need to be a PKCS#7 backup function.

(From: netscape.public.mozilla.crypto - Julien Pierre)

What do I need to get a code-signing cert?

For code signing you need to have at least 100 points, and CAcert has to have a (scanned) copy of your photo ID. Then you have to send an email to support #at# cacert.org to ask to activate Code-Signing for your account.

How can do I request a server certificate?

[Q] I'm trying to figure out what exactly I'm supposed to do to request a server certificate. I was able to successfully create an account for myself to get personal email certificates, but there doesn't appear to be a corresponding part of the site for server certificates. The page that describes the "Server Certificate Programme" doesn't say anything about how I submit an application. Should I attach the csr that I generated to an email and send it to support? Is there some other email address that I should use?

[A] The big confusion may be that you're logging in under the "Email certificates" section rather than the "Server certificates" both of which are on the right-hand menu on the main CAcert site. Try that and you should be able to register your domain, receive email probes to your address and finally paste in your CSR.