Technical FAQ

Getting Certs or Signatures

Client, Server, and Network - Problems and Configuration

Misc

I am getting prompted that your site SSL certificate cannot be validated.

Did you import the CAcert Root Certificate into your browser?

See http://www.cacert.org/index.php?id=3

CAcert Class 3 certificates

Why ?

As of october 18th 2005, CAcert has started to offer Class 3 certificates.

The reason for the Class 3 certificates is because some software developers & admins don't like the idea of having verified & unverified certificates on the same ground, and while we're aware of the fact other companies already in the mainstream browsers are issuing certificates under the same or worst circumstances, we're the ones being asked to be better net citizens... !

So, we improve the trust in the certificate we provide.

What is the difference between Class 1 and Class 3 Certificates

The class 3 root certificate is the high-security subset of the CAcert class 1 root certificate.

Class 1 is the 'normal' and older root certificate of CAcert. It inculdes both, low security and high security certificates. As it might not be possible to get the class 1 certificate included into some browsers or distributions (see InclusionStatus), the Class 3 certificate was introduced. The Class 3 root certificate includes only high security certificates and is a subset of the Class 1 certificate.

In general: The class 3 will probably be integrated into more browsers and distributions in the future, whereas the class 1 certificate probably works with more and especially older browsers.

Using Class 3 certificates

Using Class 3 certificates with Apache is identical to using Class 1 certificates. Just associate your server certificate issues by CAcert with your (virtual) host by using the SSLCertificateFile directive. You don't have to specify the CA certificate in Apache unless you would like to verify client certificates signed with the CA's key.

To make it absolute clear: If you specify the CA certificate in Apache, Apache won't send the CA certificate with the server's certificate in response to client connects, because that would't make any sense at all. Imagine what it would mean if Apache did that: Someone you don't know gives you a written statement from someone you don't know either, telling you "Yes, it's true, he is the one claiming to be."

How it really works is like this: You have to have the CA certificate already imported into your web browser. By importing it you declare that you trust the CA to properly certify users or servers. Now, if you connect to a website, the website replies with its server certificate. Your browser detects that this certificate has been signed by a trusted CA, and therefore trusts the server certificate to be valid.

So, to repeat, you need to include the SSLCertificateFile in Apache only if you want Apache to verify client certificates, using the specified CA certificate.

Example for Apache 1.x mod_ssl:

# Your certificate file
SSLCertificateFile /etc/apache/ssl.crt/www.example.org.crt
# Your key file
SSLCertificateKeyFile /etc/apache/ssl.key/www.example.org.key
# Cacert's root certificate for class 3; needed only to verify client certificates
SSLCACertificateFile /etc/apache/ssl.crt/cacert.org-class3.crt

The cacert.org-class3.crt file should contain the pem version of the class 3 Root certificate ( http://www.cacert.org/certs/class3.crt )

Why a CAcert-signed certificate better than a self-signed?

Even though we're not included by default in main stream browsers a number of linux distributions are already including us in their builds of Mozilla and other browsers/email clients.

If you had 100 websites configured with 100 self-signed certificates you would need to import all of them into your browser, where as using a CA issued model of root cert -> server certs (regardless if you use our site or do your own thing) will only require you to import 1 certificate to have those 100 sites all trusted as well by your browser. This isn't taking into account all the earlier adopters that have also imported our root cert on their computers and entire office networks via active directory, there are supposed to be a couple of 20,000+ seat networks being setup to use CAcert certs internally instead of running their own internal CA.

Finally self-signed provides no 3rd party verification, so you can easily issue a self signed certificate for "Microsoft.com" but unless you have access to RFC style email addresses our system wouldn't allow you to do that.

So while on the surface the browser will nag either way there is actually some benefits by having as many people as possible importing the root cert as well, since the more people that have it installed, the more useful it becomes and around and around we go.

How can I export/ backup the certificate authority root certs from Mozilla?

You can't.

The current Mozilla backup function is for your own certs - the one for which you have a key, in PKCS#12 format. You don't have the key to the root certs by definition, so you can't back them up to PKCS#12. Some root certs may be included in your PKCS#12 file if you back up one of your own certs, as the entire cert chain will be backed up.

To back up third party certs such as root certs, there would need to be a PKCS#7 backup function.

(From: netscape.public.mozilla.crypto - Julien Pierre)

What do I need to get a code-signing cert?

For code signing you need to have at least 100 points. Then you have to send an email to support #at# cacert.org to ask to activate Code-Signing for your account. Please see CodesigningCert for further details.

How can do I request a server certificate?

[Q] I'm trying to figure out what exactly I'm supposed to do to request a server certificate. I was able to successfully create an account for myself to get personal email certificates, but there doesn't appear to be a corresponding part of the site for server certificates. The page that describes the "Server Certificate Programme" doesn't say anything about how I submit an application. Should I attach the csr that I generated to an email and send it to support? Is there some other email address that I should use?

[A] The big confusion may be that you're logging in under the "Email certificates" section rather than the "Server certificates" both of which are on the right-hand menu on the main CAcert site. Try that and you should be able to register your domain, receive email probes to your address and finally paste in your CSR.

Is the Source Code for CAcert.org available

Yes, it is. Have a look at http://www.cacert.org/src-lic.php