How do I install the CAcert source?

Quick and dirty

Developers looking into playing with the source code can follow this guide on how to install the source (please also add stuff you find to this guide!)

Also, you have to realize that you are entering unknown land here, so if something does not work, try to find it out yourself or ask on IRC...

  1. first download the source

  2. Create the directory /www
  3. Extract it to the /www directory, so that you have /www/www/index.php
  4. Set up an apache virtual host for this (
  5. Point the document root to `path-to-source/www'
  6. Enable AllowOverride All on the directory so the .htaccess is able to override the settings

  7. Change the path to the general.php in the .htaccess file
  8. Change the path to the source-root in include/general.php
  9. Copy include/mysql.php.sample to include/mysql.php
  10. Create a database for cacert, a separate user
  11. fill the database using cacert.sql
  12. Change mysql.php at the top so cacert finds the path, change the vhost for the ssl and non-ssl hosts


Create the following dirs in your cacert-path:

Make sure that crt/ and csr/ and read & writeable by your web-user.

Change the paths to your cacert-installation in scripts/*.c and run "make" afterwards to create the wrappers. I guess that the wrappers would be running setuid some-user (root?) in order to have access to the CA files, so the webserver does not need to have access to those.

I changed the runclient and runserver script to setuid & setgid to the user that created the CA and chowned them to "root:httpd" and chmodded them to 4750.

rg$ cat scripts/Makefile 
all: runserver.c runclient.c
        gcc -O2 -o runserver runserver.c
        gcc -O2 -o runclient runclient.c
        sudo chown root:httpd runserver runclient
        sudo chmod 4750 runserver runclient

        rm -f runserver runclient rungpg test

Create your own CA

In order to fully test your installation you need to be able to create & sign & so on. For that you need your own CA. Change to your cacert path und run "" that's been delivered together with openssl (on debian it was in /usr/lib/ssl/misc/). Fill in the values with sensible values and choose a passphrase. It seems that the devel scripts have the passphrase "test", so it may be the easiest to set it to the same value.

Create the config files for the actions

I "reverse-engineered" this files from my installation, as the original files as used by cacert are not available. It would be very helpful if those were included in the distribution!

Every action (sign email, sign orgemail, ...) has it's own config file in etc/ssl/. I copied my /usr/lib/ssl/openssl.cnf file to the target file, changed the path to my cacert-path ($path/demoCA/) and set the following values:


[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
nsCertType = client, email


Software/HowToInstallSource (last edited 2009-09-16 05:54:58 by GregStark)