To Organisation Assurer - To Organisation Assurers List - To Prospective Organisation Assurers List - To Guidelines for Assured Organisations

deutsch | english | français | netherlands | …

Handbook for Organisation Adminstrator

See also Assured Organisations training for things you can do with Org Certificates.

Tasks of as CAcert Organisation Adminstrator

The primary task of a CAcert Organisation Adminstrator (OrgAdmin) is to create and maintain client- and server certificates for the organisation.

. Menu-EN.png

The OrgAdmin has two additional areas in the web interface of CAcert. With Org Client Certs the client and mail certificates of the organisation are maintained, with Org Client certs the server certificates of the organisation. The entry mask are quite similar to the one that are visible for every CAcert member.

Client Certificate Adminstration

Step 1

Basically the adminstration of client certificates for organisations is the same as for normal client certifcates. The input mask is slightly different.

. Client-Certificate-EN.png

The picture shows the form with the advanced options visible.

The entered email address must belong to one of the domains that are registered for the organisation. Other email addresses are not allowed.

If an email address is used by a CAcert member in his private account it should be revoked first in the private account before the OrgAdmin can issue the one for the organisation.

The name of the person must be entered. It will be displayed in the certificate next to the organisation .

If the department is entered the entry will be displayed as OU-entry.

In the options you can choose to sign with the class1 or class3 root certificate. Class 3 is recomended to use.

You also can choose between different hash alogrithms where SHA-256 is default.

If the Organisation Adminstrator has the code signing ability he can additional choose to create a code signing certificate (not displayed in screenshot).

You can added an optional comment that will not be published in the certificate but can be quite useful on the certificate overview.

All information entered in this form will be used not regarding which way of creating the certificate will be used in the second step. In case of using the CSR (Certificate Signing Request) only the public key information is used. All other information will be taken from this form and the organisation account data.

Step 2

. Client-Certificate-EN-Step2.png

On the second step you can decide wether you create a new private key within the browser or to paste the CSR into the form.

Using the CSR can be quite useful as the private key for the user does not need to be included into the Organisation Adminstrators browser truststore.

Result using the browser

. Client-Certificate-EN-Browser.png

The next step is to install the certificate in the browser you are just using and export it in a further step from the browser truststore to distribute it to the user.

=== Result using CSR ===

. Client-Certificate-EN-CSR.png

Here the public key information is copied and send to the user.

Server Certificate Adminstration

Basically the adminstration of server certificates for organisations is the same as for normal server certificates.

. Server-Certificate-EN.png

Enter your certificate request (CSR) in the textbox. More information about the creation of a CSR can be found here and

All information except the one the Organisational Unit (OU) will be replaced by the information that is entered for the organisation.


The OrgAdmin is responsible for the correct data.
This applies especially for the name in client certificates. Here is the need to check wethere the person is realy the the responsible person for the email address.
The OrgAdmin cannot add other Organisation Admintrators or domains. This is only done by the Organisation Assurer. They can be reached over <support AT SPAMFREEFOREVER cacert DOT org>.
If there is the need to create certificates with code signing ability, the OrgAdmin must ask for the code signing ability in his personal account as this is heritaged from there. The code signing ability can be requested with as simple mail to <support AT SPAMFREEFOREVER cacert DOT org>.



OrganisationAssurance/OA/OrgAdmin/Handbook/EN (last edited 2018-01-06 14:54:14 by BernhardFröhlich)