How to replace MD-5 signed CAcert Class 1 root with the SHA256 signed CAcert Class 1 root

The main browsers do not accept certificates (including root self-signed ones) signed using the MD-5 algorithm, after 20161231. The reason is, that the MD-5 algorithm is no more considered as the safe one nowadays. This is also the reason for replacing it with the SHA256 signed CAcert root certificate.


The SHA256 signed CAcert root certificate is quite equal to the MD-5 signed CAcert root one, as regards technical issues. The main differences between the SHA256 signed Class 1 root and the MD-5 signed Class 1 root are as follows:

The procedure

In brief: the replacement is possible, simple, and makes no problem both to OSes and to browsers. The process of the replacement is totally straightforward as 1-2-3:

  1. Download and save the SHA256 signed CAcert Class 1 root file. Select the format your system or browser can use.
  2. Import the downloaded root into your OS or browser (e. g. use the system utility, or embedded Certificate Manager respectively).
  3. Delete the former MD-5 signed CAcert Class 1 root. Check its serial number 000000 before.

It has been proven that the replace procedure makes no harm. There is no need to change or reinstall either the Class 3 CAcert root or any CAcert issued certificate, as those already are SHA256 signed. Systems (Linux, Windows) and browsers (Firefox) are still able to create certificate chains needed.

The procedure, if roots were installed by the MSI package for MS Windows

If you have installed CAcert roots using the MSI package, you have to deinstall them first using the same package CAcert_Root_Certificates.msi (or the new one, CAcert_Root_Certificates_256.msi). If you don't remember the procedure of the former installation, run the package (with _256 in its name). if it shows three standard possibilities (buttons Change, Repair, Uninstall), press Uninstall. If the error dialog box appears (with no text, buttons Yes/No), press Yes.

You can also manually uninstall the root certificate, then search for the following Registry key:

and if it exists, delete it.

After uninstallation is done, run the new package CAcert_Root_Certificates_256.msi, confirm the license agreement, and install the roots. Again, if the dialog box "Error" appears, press Yes.

The procedure for the Kleopatra in Linux

The Kleopatra program deletes the root certificate with the whole certificate string. Thus, it does not allow the direct substitution of the old root certificate. You need to follow this procedure:

  1. Export all the certificates, issued to you, to files of type <hash>.pem

  2. Delete the CAcert root certificate (MD-5 signed). That way you also delete all the certificate string, i. e. the CAcert Class3 certificate and all your certificates (you have backups from the step 1).
  3. Import the CAcert root certificate CAcert Class1 SHA256 signed with serial number 0F (root_256.crt), and set it trustworthy.
  4. Import the CAcert intermediate Class3 certificate (class3.crt).
  5. Import all the certificates issued to you, which you have exported in the step 1.

HowTo/ReplaceCAcertRootCertificate (last edited 2018-11-21 15:46:12 by AlesKastner)