Class3 Subroot Re-sign - Press Release (English)
June 04, 2011
New signatures for CAcert-Class 3-Subroot-certificate - Changes for users of CAcert-Certificates
CAcert is going to re-sign its Class 3-certificate on June xxth with a new SHA256-based signature. The MD5-based signature on the old certificate is seen as not secure any more by Mozilla and is therefore deprecated. Mozilla is going to drop support for MD5-signed Class 3-subroot and end-entity certificates after 30th June. Users of Mozilla products such as Firefox and Thunderbird may experience errors when these programs try to verify such certificates.
In order to avoid warnings, webmasters and users of CAcert's Class 3-certificates will have to download and install the newly-signed certificates from CAcert's website www.cacert.org. The same procedure applies if the Class 3-certificate is used for secure e-mail communication, for code signing, or document signing.
The procedure in short:
Download the new Class 3 PKI Key from http://www.cacert.org/index.php?id=3
- Either install it directly in your browser, or any other client program you use the certificate for, or save it to the SSL configuration directory of your webserver. For Apache this may be: /etc/apache2/ssl/class3.crt (PEM-Format)
- Verify the SHA1-fingerprint of the downloaded certificate:
- Example Commandline:
- openssl x509 -fingerprint -noout -in class3.crt
- Or look at the fingerprint when importing the certificate into the webbrowser
- Webmaster now re-create the necessary hash with c_rehash, or the like