TableOfContents

Technical FAQ

CAcert free contributors deny any headaches due to the content of this technical FAQ

Issuing a SubRoot cert?

About CSR?

Dealing with restrictive Internet providers?

How to get certs for local development without full qualified domain name?

Q :

A :

Why a CAcert-signed certificate better than a self-signed?

Even though we're not included by default in main stream browsers a number of linux distributions are already including us in their builds of Mozilla and other browsers/email clients.

If you had 100 websites configured with 100 self-signed certificates you would need to import all of them into your browser, where as using a CA issued model of root cert -> server certs (regardless if you use our site or do your own thing) will only require you to import 1 certificate to have those 100 sites all trusted as well by your browser. This isn't taking into account all the earlier adopters that have also imported our root cert on their computers and entire office networks via active directory, there are supposed to be a couple of 20,000+ seat networks being setup to use CAcert certs internally instead of running their own internal CA.

Finally self-signed provides no 3rd party verification, so you can easily issue a self signed certificate for "Microsoft.com" but unless you have access to RFC style email addresses our system wouldn't allow you to do that.

So while on the surface the browser will nag either way there is actually some benefits by having as many people as possible importing the root cert as well, since the more people that have it installed, the more useful it becomes and around and around we go.