Technical FAQ
CAcert free contributors deny any headaches due to the content of this technical FAQ
Issuing a SubRoot cert?
Can I get a SubRoot certificate issued?
About CSR?
- What is a ["CSR"] and how do I get one?
Dealing with restrictive Internet providers?
I run a website from my home internet connection but port 25 is blocked, how can I get still get the email probe? PortBlocking
How to get certs for local development without full qualified domain name?
Q :
- I need certificates for my machine for local development. The machine doesn\'t have a full qualified domain name. How do I get a certificate that my web server will accept?
A :
- This is a tough question, although a lot of people have internal LAN webservers with real domain/hostnames, you only need to validate a domain or sub-domain, and then you can issue certificates for any hostnames using the domains/sub-domains as part of the hostname. If you don't have a domain/sub-domain, there are plenty of free dynamic DNS services you can make use of as well.
Why a CAcert-signed certificate better than a self-signed?
Even though we're not included by default in main stream browsers a number of linux distributions are already including us in their builds of Mozilla and other browsers/email clients.
If you had 100 websites configured with 100 self-signed certificates you would need to import all of them into your browser, where as using a CA issued model of root cert -> server certs (regardless if you use our site or do your own thing) will only require you to import 1 certificate to have those 100 sites all trusted as well by your browser. This isn't taking into account all the earlier adopters that have also imported our root cert on their computers and entire office networks via active directory, there are supposed to be a couple of 20,000+ seat networks being setup to use CAcert certs internally instead of running their own internal CA.
Finally self-signed provides no 3rd party verification, so you can easily issue a self signed certificate for "Microsoft.com" but unless you have access to RFC style email addresses our system wouldn't allow you to do that.
So while on the surface the browser will nag either way there is actually some benefits by having as many people as possible importing the root cert as well, since the more people that have it installed, the more useful it becomes and around and around we go.
How can I export/ backup the certificate authority root certs from Mozilla?
You can't.
The current Mozilla backup function is for your own certs - the one for which you have a key, in PKCS#12 format. You don't have the key to the root certs by definition, so you can't back them up to PKCS#12. Some root certs may be included in your PKCS#12 file if you back up one of your own certs, as the entire cert chain will be backed up.
To back up third party certs such as root certs, there would need to be a PKCS#7 backup function.
{From: netscape.public.mozilla.crypto - Julien Pierre)