Technical FAQ

Getting Certs or Signatures

Client, Server, and Network - Problems and Configuration


I am getting prompted that your site SSL certificate cannot be validated.

Did you import the CAcert Root Certificate into your browser?

See and How to import CAcert roots into browser clients

CAcert Class 3 certificates

Why ?

As of october 18th 2005, CAcert has started to offer Class 3 certificates.

The reason for the Class 3 certificates is because some software developers & admins don't like the idea of having verified & unverified certificates on the same ground, and while we're aware of the fact other companies already in the mainstream browsers are issuing certificates under the same or worst circumstances, we're the ones being asked to be better net citizens... !

So, we improve the trust in the certificate we provide.

What is the difference between Class 1 and Class 3 Certificates

The class 3 root certificate is the high-security subset of the CAcert class 1 root certificate.

Class 1 is the 'normal' and older root certificate of CAcert. It inculdes both, low security and high security certificates. As it might not be possible to get the class 1 certificate included into some browsers or distributions (see InclusionStatus), the Class 3 certificate was introduced. The Class 3 root certificate includes only high security certificates and is a subset of the Class 1 certificate.

In general: The class 3 will probably be integrated into more browsers and distributions in the future, whereas the class 1 certificate probably works with more and especially older browsers.

Using Class 3 certificates

Using Class 3 certificates with Apache is identical to using Class 1 certificates. Just associate your server certificate issues by CAcert with your (virtual) host by using the SSLCertificateFile directive. You don't have to specify the CA certificate in Apache unless you would like to verify client certificates signed with the CA's key.

To make it absolute clear: If you specify the CA certificate in Apache, Apache won't send the CA certificate with the server's certificate in response to client connects, because that would't make any sense at all. Imagine what it would mean if Apache did that: Someone you don't know gives you a written statement from someone you don't know either, telling you "Yes, it's true, he is the one claiming to be."

How it really works is like this: You have to have the CA certificate already imported into your web browser. By importing it you declare that you trust the CA to properly certify users or servers. Now, if you connect to a website, the website replies with its server certificate. Your browser detects that this certificate has been signed by a trusted CA, and therefore trusts the server certificate to be valid.

So, to repeat, you need to include the SSLCACertificateFile in Apache only if you want Apache to verify client certificates, using the specified CA certificate.

Example for Apache 1.x mod_ssl:

# Your certificate file
SSLCertificateFile /etc/apache/ssl.crt/
# Your key file
SSLCertificateKeyFile /etc/apache/ssl.key/
# Cacert's root certificate for class 3; needed only to verify client certificates
SSLCACertificateFile /etc/apache/ssl.crt/

The file should contain the pem version of the class 3 Root certificate ( )

Why a CAcert-signed certificate better than a self-signed?

Even though we're not included by default in main stream browsers a number of linux distributions are already including us in their builds of Mozilla and other browsers/email clients.

If you had 100 websites configured with 100 self-signed certificates you would need to import all of them into your browser, where as using a CA issued model of root cert -> server certs (regardless if you use our site or do your own thing) will only require you to import 1 certificate to have those 100 sites all trusted as well by your browser. This isn't taking into account all the earlier adopters that have also imported our root cert on their computers and entire office networks via active directory, there are supposed to be a couple of 20,000+ seat networks being setup to use CAcert certs internally instead of running their own internal CA.

Finally self-signed provides no 3rd party verification, so you can easily issue a self signed certificate for "" but unless you have access to RFC style email addresses our system wouldn't allow you to do that.

So while on the surface the browser will nag either way there is actually some benefits by having as many people as possible importing the root cert as well, since the more people that have it installed, the more useful it becomes and around and around we go.

How can I export/ backup the certificate authority root certs from Mozilla?

You can't.

The current Mozilla backup function is for your own certs - the one for which you have a key, in PKCS#12 format. You don't have the key to the root certs by definition, so you can't back them up to PKCS#12. Some root certs may be included in your PKCS#12 file if you back up one of your own certs, as the entire cert chain will be backed up.

To back up third party certs such as root certs, there would need to be a PKCS#7 backup function.

(From: netscape.public.mozilla.crypto - Julien Pierre)

What do I need to get a code-signing cert?

For code signing you need to be an Assurer. Then you have to send an email to support #at# to ask to activate Code-Signing for your account. Please see CodesigningCert for further details.

How can do I request a server certificate?

[Q] I'm trying to figure out what exactly I'm supposed to do to request a server certificate. I was able to successfully create an account for myself to get personal email certificates, but there doesn't appear to be a corresponding part of the site for server certificates. The page that describes the "Server Certificate Programme" doesn't say anything about how I submit an application. Should I attach the csr that I generated to an email and send it to support? Is there some other email address that I should use?

[A] After logging in to the main web page you have a menu bar on the right hand. It contains "Domains" as well as "Server Certificates" menu entries (both having a "new" and a "view" sub menu). You first need to proof that you own the domain or are authorized to manage it (this is done by entering the domain and then selecting one of the offcial email contacts of the domain). Once you have received and answered the mail to the domain contact the domain will show up as "verified" in your list. In the next step you go to the "Server Certificates" menu and request a Cert by uploading a CSR. The CSR must contain valid CommonName (CN) and optional subjectAltName= entries (matching the domains you proofed before). All other attributes are removed.

Is the Source Code for available

Yes, it is. Have a look at


Structure of Roots

The structure of the G1 roots is, as taken from the wip CPS:

CAcert currently operates 2 roots known as the "Class 3" and "Class 1" roots:

The Class 3 root is signed by the Class 1 root (the former is a sub-certificate of the latter, hence the Class 3 root is technically an intermediate certificate of the Class 1 root).

Relying parties can decide to trust only certificates for Assured Members (by selecting the Class 3 root for Assured Members as trust anchor), or all certificates (by selecting the Class 1 root for unassured Members as trust anchor). Assured Members have the option of using the Class 1 root but this facility is intended for compatibility rather than as a feature in its own right.

  Class 1 ------> Class 3
   Root           Root
    |              |
    |              |
    |              |
   \|/            \|/
Anonymous       Assured
Certificate    Certificate

CAcert is currently preparing to create new roots. Join the discussion on how at Roots/Structure and Roots/NewRootsTaskForce.

FAQ/TechnicalQuestions (last edited 2016-05-06 17:03:57 by AlesKastner)