New and archived (obsoleted) CAcert Roots

New Root Certificates

Because they are nowadays actively disabled by operating systems and applications, older MD5 signed certificates are not of any help to access a website with HTTPS. As a rule of thumb, this is generally by now a poor idea to download and install any certificate with "MD5" labelled on it. Deprecation of MD5 algorithm for PKI purposes started in 2011; since the end of 2016, MD5 cannot be used at all for X.509 operations.

In order to address this challenge, CAcert re-signed its Root CA and Class 3 Root certificates, with the modern and secure SHA256 hash function. CAcert's Root SHA256-signed certificates remained otherwise unchanged (same keys, same validity period), exceptions being an updated serial number and the new signature. They are fully compatible with all certificates issued by CAcert previously.

20190410: the SHA256 signed root certificates, both Class 1 and Class 3, were placed to the CAcert operating server ( Their filenames for download are: root_X0F (Class 1 root) and class3_X0E (intermediate Class 3 root). The hex. number following "X" is the unique serial number of the certificate, thus 00000F and 00000E, respectively. CAcert users are advised to substitute both older certificates (with serial numbers 000000 and 0A418A) with these new ones.

This page also gives here below access to "refreshed" SHA256-signed Class 1 root certificate (#00000F), which replaces the old Class 1 root certificate MD5-signed (#000000). Please use the "refreshed" SHA256-signed Class 1 root certificate definitely since 2018-01-01. This page also offers access to the new intermediate Class 3 root certificate (#00000E) replacing the old intermediate Class 3 root (#0A418A). You can find an explanation and the procedure here.

New CAcert roots prepared for Android systems

FAQ/NewRoots (last edited 2020-01-05 18:13:51 by AlesKastner)