Introduction

Certificates for the cacert.org domain are issued by the Organisation Admins below as CAcert Inc. itself is organisationally assured.

Details

The details of the organisation account:

Organisation name:

CAcert Inc.

contact email:

support@cacert.org

city:

Sydney

state:

NSW

country:

AU

comments:

Domains

Organisation Admins

Please contact them for renewal or revocation of any of the certificates listed SystemAdministration/CertificateList.

Procedure

Client Certificates

If required for an email address that you control (e.g email address) you can issue this yourself (assuming you are assured or an assurer). If your stuck ask a certificate manager.

Server Certificates

These require a CSR to be sent to a certificate manager (see above).

  1. Create a PKCS#10 format (PEM encoded) CSR (certificate signing request).
    • Quick CSR generation howto:

    • with a recent openssl version:
      •       $ openssl req -new -nodes -newkey rsa:4096 -keyout private.key.pem -out server.csr.pem \
                -subj '/C=AU/ST=NSW/O=CAcert Inc./CN=domainname.cacert.org' \
                -addext "subjectAltName=DNS:domainname.cacert.org,DNS:alternative.cacert.org"
    • with an ancient openssl version that does not support the -addext option:

      •       $ openssl req -new -nodes -new -newkey rsa:4096 -keyout private_key -out server.csr \
                -subj '/C=AU/ST=NSW/O=CAcert Inc./CN=domainname.cacert.org'
    • email addresses can't be included in CAcert server certificates
    • if you want to add Subject alternative names with older openssl versions you need to
      • use a custom openssl configuration file
    • you may use other tools like the JDK keytool, certtool from GnuTLS or certutil from Mozilla's libnss3
  2. Authorization - you must be listed as an administrator for the system you are issuing a certificate for (https://selfservice.cacert.org/staff)

  3. Authentication - please issue the request from your @cacert.org email address and have it S/MIME (or less preferably OpenPGP) signed when you send the CSR to the
  4. Document the certificate in Infradocs (https://git.cacert.org/cacert-infradocs.git/), the certificate list is rendered as https://infradocs.cacert.org/certlist.html

Certificate Manager.


CategoryProcedures

SystemAdministration/Procedures/CertificateIssuing (last edited 2022-01-21 21:12:47 by JanDittberner)