The system documentation is currently rewritten in a new system that builds HTML from ReStructuredText/Sphinx sources.

The git-Repository is at

The generated documentation is published to

Instructions on how to work on the new documentation are available at

For some more background information see the mailing list thread at

System Administration

The System Administration team is responsible for operation and maintenance of the servers and services provided by CAcert.

Talking to us


See also: SystemAdministration/Team

Infrastructure team

We are always looking for new System Administrators! To see what's going on, join the Sysadm Maillist. If you have specific questions or want to know how to help, post there.

The (non-critical) infrastructure is based on Debian GNU/Linux mainly running in LXC containers running on two physical machines and configured using Puppet from a Git repository. Current documentation is built using Sphinx on our Jenkins CI server. We use Icinga 2 for Monitoring.

If you want to help with infrastructure administration you need some knowledge of at least Git and should be willing to learn Puppet and Sphinx. Knowledge of Nagios checks or Icinga 2 would be a nice addition.

We have some old systems that are not yet managed by Puppet and using outdated OS versions. Getting these systems and the software running on these systems up-to-date and managed by Puppet would be a great help. There are a lot of open TODO-items in our documentation that require work/investigation and we have some issues in the "Infrastructure" project of the CAcert bug tracker.

Jan Dittberner currently leads the team.

Critical Servers team

Above, people marked (BIT) above are listed on the Firewall/OS Access list in Appendix B, MoU with secure-u. These people are able to get direct physical (console) access to the machines with secure-u assistance under SecurityManual.

You can send encrypted e-mail to the critical server team by importing this certificate: into your e-mail client and using S/MIME encryption. For verification purposes we include the decoded certificate header here:

        Version: 3 (0x2)
        Serial Number: 159760 (0x27010)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: O=CAcert Inc., OU=, CN=CAcert Class 3 Root
            Not Before: Jul 25 08:35:21 2015 GMT
            Not After : Jul 24 08:35:21 2016 GMT
        Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Critical System Administrators, CN=Critical System Administrators/

Access Engineers Team

Access Engineers provide physical gate-keeping to the BIT facility. They have to be present for all direct access by Critical admins. They are listed on the Firewall/Site Access list in Appendix B, MoU with secure-u.


List of Guides:

List of Procedures:



List of Systems:

  1. CategoryCommunication
  2. CategorySystems
  3. DebianVulnerabilityHandling
  4. DebianVulnerabilityHandling/CZ
  5. DisasterRecovery
  6. EmailListsOverview
  7. IPv6
  8. IPv6/CZ
  9. InfrastructureReDesign
  10. OcspResponder
  11. OcspResponder/CZ
  12. SecurityManual
  13. SecurityManual/CZ
  14. Software/Assessment/testserver
  15. Software/Assessment/testserver/CZ
  16. Software/Assessment/testserver/setup
  17. Software/DevelopmentWorkflow
  18. Software/Webdb
  19. Software/Webdb/Maintenance/AddNewRoots
  20. Software/Webdb/Maintenance/DatabaseUpgrades
  21. SuggestKeySizes
  22. SuggestKeySizes/CZ
  23. SystemAdministration
  24. SystemAdministration/AdminCandidates
  25. SystemAdministration/CableIndex
  26. SystemAdministration/CertificateList
  27. SystemAdministration/EmergencyLogs
  28. SystemAdministration/EquipmentList
  29. SystemAdministration/IPList
  30. SystemAdministration/InfrastructureHost
  31. SystemAdministration/InfrastructureHost/MinimalistHostingAgreement
  32. SystemAdministration/Procedures
  33. SystemAdministration/Procedures/DNSChanges
  34. SystemAdministration/Procedures/SoftwarePatches
  35. SystemAdministration/SshHostKeyList
  36. SystemAdministration/Systems
  37. SystemAdministration/Systems/Archive
  38. SystemAdministration/Systems/Cisco1_and_2
  39. SystemAdministration/Systems/Community
  40. SystemAdministration/Systems/Development
  41. SystemAdministration/Systems/Development/Prepare
  42. SystemAdministration/Systems/Hopper
  43. SystemAdministration/Systems/Infra01
  44. SystemAdministration/Systems/Logger
  45. SystemAdministration/Systems/Ns
  46. SystemAdministration/Systems/Ocsp
  47. SystemAdministration/Systems/SLS
  48. SystemAdministration/Systems/Signer
  49. SystemAdministration/Systems/Sun1
  50. SystemAdministration/Systems/Sun2
  51. SystemAdministration/Systems/Sun3
  52. SystemAdministration/Systems/Sun4
  53. SystemAdministration/Systems/Test
  54. SystemAdministration/Systems/Translingo
  55. SystemAdministration/Systems/Webdb
  56. SystemAdministration/Systems/Wiki
  57. SystemAdministration/Systems/Wiki/update201009
  58. SystemAdministration/Systems/ca-mgr1-test
  59. SystemAdministration/Systems/cacert2-test
  60. SystemAdministration/Systems/fiddle
  61. SystemAdministration/Systems/git
  62. SystemAdministration/Systems/template
  63. SystemAdministration/Team
  64. Technology/Laboratory/Hardware/InfrastructureHost/Infra-redevelopment-plan
  65. Technology/Laboratory/Hardware/InfrastructureHost/Vienna1
  66. Twitter
  67. Twitter/CZ
  68. WeakKeys
  69. WeakKeys/CZ
  70. WeakKeys/SmallExponent
  71. WeakKeys/SmallExponent/CZ
  72. WeakKeys/SmallKey
  73. WeakKeys/SmallKey/CZ
  74. comma/Arsenal/IRC
  75. comma/Arsenal/IRC/improvement


How to become team member

Critical Roles

SP says that board has to approve ABC'd roles:

Board or t/l has to start the process with filing a dispute for ABC over new candidate.

Non-critical roles

Please contact Non-Critical-Infrastructure t/l

eg for becoming

Non-critical t/l will check the candidates and provide the access.

SystemAdministration (last edited 2023-06-04 17:15:25 by JanDittberner)