Code and documentation is also available here: https://github.com/CAcertOrg/cacert-procedures/tree/master/rootResignSHA256. The actual step-by-step implementation by the Critical Administrator Team can be found at: https://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/implementation.txt.

Involved Parties

Abstract

The root certificate of CAcert is currently signed with MD5. This is deprecated and should be replaced by a newer signature. To allow interop with existing certificates no new key material is created, but a new signature on the old proto-certificate (TBSCertificate structure) is created.

Rationale

The Class 1 Root certificate is chained based on its Public Key Fingerprint rather than its certificate fingerprint. Thus changing the certificate while keeping the identifying information intact should keep existing chains valid.

Preparation

Perform a dry-run of the actual process on a test server and verify everything works as required.

Process

A re-sign tool will look for the Class 1 Root certificate ("root.crt") and its private key ("root.key"), re-sign the certificate with SHA256 and output the new certificate ("root_256.crt"). Additionally a set of information required for proper chaining with the Class 3 Intermediate certificate ("class3.crt") are updated by re-signing a slightly modified version of the Class 3 Intermediate certificate. The Process should therefore be executed like this:

Input artifacts

Preparation on a separate box

Actual Execution on the signer

Resulting artifacts from the process

Post-execution steps

Test requirements

Test of included data

Test of functionality

Audit Considerations

Security Considerations

Log