I cannot create or renew my certificate, because it hangs

The symptoms

A typical message from an user:

"Certificate renewal in state 'pending' for days. How to remove/renew then? Thanks."

The reason

The reason is, that these operations were deliberately ceased for the certificates which should be signed with the main CAcert root, i.e. Class 1 Root.

The creation of a new certificate, and the renewal, work for the certificates signed with the intermediate CAcert root, i.e. Class 3 Root.

Unfortunately, an user can create/renew the certificate signed with Class 3 Root, only if s/he has 50+ Assurance Points.

More information

If you look at the serial # of your certificate, and its value is equal or exceeds 1000000 hex, than this one was signed by the Class 1 Root.

The issuing and renewing of such certificates was ceased and should be prohibited forever.

The reason:

A new rule was created for Certificate Authorities, that no certificate can be issued using the signing with the main CA's root. At CAcert, such main certificate is called "Class 1 Root" (PKI key Class 1 on the Roots page https://www.cacert.org/index.php?id=3).

The intermediate root certificates must be created and used for issuing certificates for users.

All new certificates should be issued as signed by the intermediate root, which at CAcert is called "Class 3 Root" (PKI key Class 3 on the Roots page https://www.cacert.org/index.php?id=3).

Unfortunately, the existing CAcert's policy performs issuing such certificates only for users having 50+ Assurance Points (APs). You can read about the 50+ APs benefits here:


How to reach 50+ APs

It is possible using about 2 to 3 assurances. Please use the Assurer location search:


after log in to your account.

Then arrange 2 to 3 "face to face" appointments with 2 to 3 assurers found. An assurer can give you 10 to 35 APs. After you reach 50+ APs, you can create a new certificate signed by the Class 3 Root, which e.g. lasts much longer than the recent one.

The renewal of old certificates, which were signed with the Class 1 Root, is not possible.

All the functions for certificates signed with Class 3 Root (with the serial # < 100000hex) work fine.


FAQ/CertCreationRenewalStucks (last edited 2024-02-01 14:43:17 by AlesKastner)