How to replace MD-5 signed CAcert Class 1 root with the SHA256 signed CAcert Class 1 root

The main browsers do not accept certificates (including root self-signed ones) signed using the MD-5 algorithm, after 20161231. The reason is, that the MD-5 algorithm is no more considered as the safe one nowadays. This is also the reason for replacing it with the SHA256 signed CAcert root certificate.


The SHA256 signed CAcert root certificate is quite equal to the MD-5 signed CAcert root one, as regards technical issues. The main differences between the SHA256 signed Class 1 root and the MD-5 signed Class 1 root are as follows:

The procedure

In brief: the replacement is possible, simple, and makes no problem both to OSes and to browsers. The process of the replacement is totally straightforward as 1-2-3:

  1. Download (from the page FAQ) and save the SHA256 signed CAcert Class 1 root file. Select the format your system or browser can use.

  2. Import the downloaded root into your OS or browser (e. g. use the system utility, or embedded Certificate Manager respectively).
  3. Delete the former MD-5 signed CAcert Class 1 root. Check its serial number 000000 before.

It has been proven that the replace procedure makes no harm.

CAcert Intermediate Class 3 root certificate with serial number 0A418A contains the reference the serial number (000000) of the MD5 signed CAcert Class 1 Root. Thus, it's suitable to replace it with the newly signed CAcert Intermediate Class 3 root with serial number 00000E, which doesn't contain that reference. You can download the new CAcert Intermediate Class 3 Root from the same page (FAQ). Then also import it (in Windows - Intermediate certificates). Then please remove the former CAcert Class 3 Root with serial number 0A418A.

There is no need to change or reinstall any CAcert issued certificate, as those already are SHA256 signed. Systems (Linux, Windows) and browsers (Firefox) are still able to create certificate chains needed.

The procedure, if roots were installed by the MSI package for MS Windows

If you have installed CAcert roots using the MSI package (available from the page, you have to deinstall them first using the same package CAcert_Root_Certificates.msi (or the new one, CAcert_Root_Certificates_X0F_X0E.msi). If you don't remember the procedure of the former installation, run the package (with X0F_X0E in its name). If three standard possibilities appear (buttons Change, Repair, Uninstall), press Uninstall. If the error dialog box appears (with no text, buttons Yes/No), press Yes.

You can also manually uninstall the root certificate, then search for the following Registry key:

and if it exists, delete it.

After uninstallation is done, run the new package CAcert_Root_Certificates_X0F_X0E.msi, confirm the license agreement, and install the roots. Again, if the dialog box "Error" appears, press Yes.

The procedure for the Kleopatra in Linux

The Kleopatra program deletes the root certificate with the whole certificate string. Thus, it does not allow the direct substitution of the old root certificate. You need to follow this procedure:

  1. Export all the certificates, issued to you, to files of type <hash>.pem

  2. Delete the CAcert root certificate (MD-5 signed). That way you also delete all the certificate string, i. e. the CAcert Class3 certificate and all your certificates (you have backups from the step 1).
  3. Import the CAcert root certificate CAcert Class1 SHA256 signed with serial number 0F (root_256.crt), and set it trustworthy.
  4. Import the CAcert intermediate Class3 certificate (class3.crt).
  5. Import all the certificates issued to you, which you have exported in the step 1.

HowTo/ReplaceCAcertRootCertificate (last edited 2018-12-26 22:12:52 by AlesKastner)