CAcert.org is a community-driven

certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Th ...

that issues free X.509

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...

s. CAcert.org heavily relies on automation and therefore issues only Domain-validated certificates (and not

Extended validation An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as ...

or Organization Validation certificates). These certificates can be used to digitally sign and

encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mean ...

, code, and documents, and to authenticate and authorize user connections to websites via TLS/SSL.

CAcert Inc. Association

On 24 July 2003, Duane Groth incorporated CAcert Inc. as a non-profit association registered in

New South Wales ) , nickname = , image_map = New South Wales in Australia.svg , map_caption = Location of New South Wales in AustraliaCoordinates: , subdivision_type = Country , subdivision_name = Australia , established_title = Before federation , es ...

, Australia. CAcert Inc runs CAcert.org—a community-driven certificate authority. In 2004, the Dutch Internet pioneer

Teus Hagen The twenty-foot equivalent unit (abbreviated TEU or teu) is an inexact unit of cargo capacity, often used for container ships and container ports.Rowlett, 2004. It is based on the volume of a intermodal container, a standard-sized metal box w ...

became involved. He served as board member and, in 2008, as president.

Certificate Trust status

A disadvantage of CAcert.org is that its root certificates are not included in the most widely deployed certificate stores and it has to be added by its customers. As of 2021, most

browsers Browse, browser or browsing may refer to: Programs *Web browser, a program used to access the World Wide Web *Code browser, a program for navigating source code *File browser or file manager, a program used to manage files and related objects *Ha ...

email clients An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email. A web application which provides message management, composition, and reception functio ...

, and

operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...

do not automatically trust certificates issued by CAcert. Thus, users receive an "untrusted certificate" warning upon trying to view a website providing X.509 certificate issued by CAcert, or view emails authenticated with CAcert certificates in

Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft Office and Microsoft 365 software suites. Though primarily an email client, Outlook also includes such functions as c ...

Mozilla Thunderbird Mozilla Thunderbird is a free and open-source cross-platform email client, personal information manager, news client, RSS and chat client developed by the Mozilla Foundation and operated by subsidiary MZLA Technologies Corporation. The projec ...

, etc. CAcert uses its own certificate on its website.

Web browsers

Discussion for inclusion of CAcert root certificate in

Mozilla Application Suite The Mozilla Application Suite (originally known as Mozilla, marketed as the Mozilla Suite) is a discontinued cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition ...

and

Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current a ...

started in 2004. Mozilla had no CA certificate policy at the time. Eventually, Mozilla developed a policy which required CAcert to improve their management system and conduct audits. In April 2007, CAcert formally withdrew its application for inclusion in the Mozilla root program. At the same time, the

CA/Browser Forum The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications ...

was established to facilitate communication among browser vendors and Certificate Authorities. Mozilla's advice was incorporated into "Baseline Requirements" used by most major browser vendors. Progress toward meeting Mozilla and "Baseline Requirements" requirements and a new request for inclusion can hardly be expected in the near future.

Operating systems

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

included CAcert's root certificate but removed it in 2008, following Mozilla's policy. In 2014, CAcert was removed from

Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed mostly of free and open-source software. Ubuntu is officially released in three editions: '' Desktop'', '' Server'', and ''Core'' for Internet of things devices and robots. All th ...

Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of De ...

, and

OpenBSD OpenBSD is a security-focused operating system, security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking N ...

root stores. In 2018, CAcert was removed from

Arch Linux Arch Linux () is an independently developed, x86-64 general-purpose Linux distribution that strives to provide the latest stable versions of most software by following a rolling-release model. The default installation is a minimal base system, ...

. As of Feb 2022, the following operating systems or distributions include the CAcert root certificate by default: *

FreeWRT OpenWrt (from ''open wireless router'') is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All ...

* Gentoo (app-misc/ca-certificates only when USE flag cacert is set, defaults OFF from version 20161102.3.27.2-r2 ) *

GRML Grml is a Linux distribution based on Debian. It is designed to run mainly from a live CD, but can be made to run from a USB flash drive. Grml aims to be well-suited to system administrators (sysadmin) and other users of text tools. It includes ...

Knoppix KNOPPIX ( ) is an operating system based on Debian designed to be run directly from a CD / DVD (Live CD) or a USB flash drive (Live USB), one of the first live operating system distributions (just after Yggdrasil Linux). Knoppix was developed ...

Mandriva Linux Mandriva Linux (a fusion of the French distribution Mandrake Linux and the Brazilian distribution Conectiva Linux) is a discontinued Linux distribution developed by Mandriva S.A. Each release lifetime was 18 months for base updates (Linux, syst ...

MirOS BSD MirOS BSD (originally called MirBSD) is a free and open source operating system which started as a fork of OpenBSD 3.1 in August 2002. It was intended to maintain the security of OpenBSD with better support for European localisation. Since then i ...

* Openfire * Privatix *

Replicant A replicant is a fictional bioengineered humanoid featured in the 1982 film ''Blade Runner'' and the 2017 sequel ''Blade Runner 2049'' which is physically indistinguishable from an adult human and often possesses superhuman strength and intellig ...

(Android) As of 2021, the following operating systems or distributions have an optional package with the CAcert root certificate: *

openSUSE openSUSE () is a free and open source RPM-based Linux distribution developed by the openSUSE project. The initial release of the community project was a beta version of SUSE Linux 10.0. Additionally the project creates a variety of tools, s ...

Web of trust

To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities. CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers". Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer ChallengeAssurance Policy
section 2.3.—verify other users; more assurance points allow the Assurer to assign more assurance points to others. CAcert sponsors

key signing parties In public-key cryptography, a key signing party is an event at which people present their public keys to others in person, who, if they are confident the key actually belongs to the person who claims it, digitally sign the certificate containing ...

, especially at big events such as

CeBIT CeBIT was the largest and most internationally representative computer expo. The trade fair was held each year on the Hanover fairground, the world's largest fairground, in Hanover, Germany. In its day, it was considered a barometer of cu ...

and

FOSDEM Free and Open source Software Developers' European Meeting (FOSDEM) is a non-commercial, volunteer-organized European event centered on free and open-source software development. It is aimed at developers and anyone interested in the free and ...

. As of 2021, CAcert's web of trust has over 380,000 verified users.

Root certificate descriptions

Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.

References

{{DEFAULTSORT:Cacert.Org Cryptography organizations Certificate authorities Transport_Layer_Security Information privacy Safety_engineering