Why and how to replace CAcert Class 1 and Class 3 roots

The main browsers do not accept certificates (including root self-signed ones) signed using the MD-5 algorithm, after 20161231. The reason is, that the MD-5 algorithm is no more considered as the safe one nowadays. This is also the reason for replacing it with the SHA256 signed CAcert root certificate.

This article describes:

  1. Why and how to replace MD-5 signed CAcert Class 1 root certificate with the SHA256 signed CAcert Class 1 root
  2. Why and how to replace intermediate CAcert Class 3 root certificate


The SHA256 signed CAcert root certificate is quite equal to the MD-5 signed CAcert root one, as regards technical issues. The main differences between the SHA256 signed Class 1 root and the MD-5 signed Class 1 root are as follows:

The intermediate root SHA256 signed CAcert certificate Class 3 serial number 0A418A contains a link to the CAcert Class 1 root certificate serial # 000000 (MD-5 signed). This could lead programs, e.g. web browsers, to download the old Class 1 certificate, when assembling the certificate chain (from your certificate to the root one). Therefore, it is also advisable to replace the Class 3 certificate. The differences follows:

20190410: the SHA256 signed root certificates, both Class 1 and Class 3, were placed to the CAcert operating server (http://www.cacert.org/index.php?id=3). Their filenames for download are: root_X0F (Class 1 root) and class3_X0E (intermediate Class 3 root). The hex. number following "X" is the unique serial number of the certificate, thus 00000F and 00000E, respectively. CAcert users are advised to substitute both older certificates (with serial numbers 000000 and 0A418A) with these new ones according to the following instructions.

The procedure

In brief: the replacement is possible, simple, and makes no problem both to OSes and to browsers. The process of the replacement is totally straightforward as 1-2-3:

  1. Download from the page http://www.cacert.org/index.php?id=3 (or possibly FAQ) and save both SHA256 signed CAcert root files. Select the format your system or browser can use.

  2. Import (install) the downloaded roots into your OS or browser (e.g. use the system utility, or browser embedded Certificate Manager, respectively). Install the Class 1 certificate (root_X0F) and confirm its credibility. Then install Class 3 certificate (class3_X0E).
  3. Delete the former MD-5 signed CAcert Class 1 root. Check its serial number 000000 before.
  4. Delete also the former Class 3 intermediate CAcert root. Check its serial number 0A418A before.

It has been proven that the replace procedure makes no harm.

There is no need to change or reinstall any CAcert issued certificate, as those already are SHA256 signed. Systems (Linux, Windows) and browsers (Firefox) are still able to create certificate chains needed.

The procedure, if roots were installed by the MSI package for MS Windows

If you have installed CAcert roots using the MSI package (available from the page http://www.cacert.org/index.php?id=3), you have to deinstall them first using the same package CAcert_Root_Certificates.msi (or the new one, CAcert_Root_Certificates_X0F_X0E.msi). If you don't remember the procedure of the former installation, run the package (with X0F_X0E in its name). If three standard possibilities appear (buttons Change, Repair, Uninstall), press Uninstall. If the error dialog box appears (with no text, buttons Yes/No), press Yes.

You can also manually uninstall the root and intermediate certificates, then search for the following Registry key:

and if it exists, delete it.

After uninstallation is done, run the new package CAcert_Root_Certificates_X0F_X0E.msi, confirm the license agreement, and install the roots. Again, if the dialog box "Error" appears, press Yes.

The procedure for the Kleopatra in Linux

The Kleopatra program deletes the root certificate with the whole certificate string. Thus, it does not allow the direct substitution of the old root certificate. You need to follow this procedure:

  1. Export all the certificates, issued to you, to files of type <hash>.pem

  2. Delete the CAcert root certificate (MD-5 signed). That way you also delete all the certificate string, i. e. the CAcert Class3 certificate and all your certificates (you have backups from the step 1).
  3. Import the CAcert root certificate CAcert Class1 SHA256 signed with serial number 0F (root_X0F.crt), and set it trustworthy.
  4. Import the CAcert intermediate Class3 certificate (class3_X0E.crt).
  5. Import all the certificates issued to you, which you have exported in the step 1.

HowTo/ReplaceCAcertRootCertificate (last edited 2019-05-08 20:36:44 by AlesKastner)