(Redirected from CAcert) is a community-driven certificate authority that issues free public key certificates.[1] As of July 2016, CAcert had over 334,000 verified users and had issued over 1,285,000 certificates.[2] heavily relies on automation and therefore issues only Domain-validated certificates (and not Extended validation or Organization Validation certificates).

CAcert Inc.
TypeNonprofit organization
IndustryCertificate authority
Founded24 July 2003 (24 July 2003)
FounderDuane Groth
Area served

These certificates can be used to digitally sign and encrypt email, to authenticate and authorize user connections to websites, and to secure transmissions over the Internet. Applications that support (SSL) can use certificates signed by CAcert, as can applications that use X.509 certificates, e.g. to encrypt or to sign code and documents.

CAcert Inc. AssociationEdit

On 24 July 2003, Duane Groth incorporated CAcert Inc. as an non-profit association registered[3] in New South Wales (Australia). CAcert Inc runs -- a community-driven certificate authority.

In 2004, the Dutch Internet pioneer Teus Hagen became involved. He served as board member and, in 2008, as president.[4]

Certificate Trust statusEdit

As of 2020, most browsers, email clients, and operating systems don't automatically trust certificates issued by CAcert. Thus, users receive a "untrusted certificate" warning upon trying to view a website that has TLS certificate issued by CAcert, or view emails signed with CAcert certificates in Microsoft Outlook, Mozilla Thunderbird.

CAcert uses its own certificate on its website.

Web BrowsersEdit

Netscape NavigatorEdit

The convention of including a list of CAs in the browser was established with Netscape Navigator v.3.0.[5] It was 1996, the dawn of the first browser war, and little emphasis was put on the security implications of making such a list. The key concern was the users' ability to quickly access secured web pages, almost irrespectively of the signing CA.[6]

Mozilla FirefoxEdit

Discussion for inclusion of its root certificate in Mozilla and derivatives (such as Mozilla Firefox) started in 2004. Mozilla had no CA certificate policy at the time. Eventually, they developed a policy which required that CAcert improved their management system and deepened their formal verifications, auditing in particular. In April 2007, CAcert withdrew its application for inclusion in Mozilla root program.[7] Progress toward Mozilla requirements and a new request for inclusion can hardly be expected in the near future.[7] At the same time, the CA/Browser Forum was established to allow peaceful discussion among browser producers. Mozilla's advice was adopted, and, in addition, Extended Validation Certificates began to be issued.

Operating systemsEdit

FreeBSD included CAcert's root certificate but removed it in 2008, following Mozilla's policy.[8] In 2014, CAcert removed from Ubuntu,[9] Debian,[10] and OpenBSD[11] root stores. In 2018, CAcert was removed from Arch Linux.[12]

The following operating systems or distributions include the CAcert root certificate, or have it available in an installable package:[13]

Web of trustEdit

To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities. CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".

Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge[15]—verify other users; more assurance points allow the Assurer to assign more assurance points to others.

CAcert sponsors key signing parties, especially at big events such as CeBIT and FOSDEM.

As of 2020, CAcert's web of trust has over 378,000 verified users.[2]

Root certificate descriptionsEdit

Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.[16]

See alsoEdit


  1. ^ "FAQ/AboutUs - CAcert Wiki". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
  2. ^ a b "Welcome to". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
  3. ^ "CAcertInc - CAcert Wiki". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
  4. ^ "NLnet; Teus Hagen". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
  5. ^ Simson Garfinkel; Gene Spafford (2002). Web Security, Privacy & Commerce. O'Reilly Media, Inc. ISBN 9780596000455. Netscape Navigator Version 3.0 came preloaded with certificates for 16 CAs at 11 companies (AT&T, BBN, Canada Post Corporation, CommerceNet, GTE CyberTrust, Keywitness, MCI Mail, RSA, Thawte, U.S. Postal Service, and Verisign.)
  6. ^ "Netscape Navigator 3.0 reviewer's guide". 1996. Archived from the original on 30 December 1996. Retrieved 22 February 2017. Netscape Navigator allows you to connect to server sites whose certificates have been signed by unknown certifying authorities (CAs)
  7. ^ a b "215243 - CAcert root cert inclusion into browser". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
  8. ^ FreeBSD Security Officer (29 June 2008). "ca-roots". FreshPorts. Retrieved 16 December 2013. The ca_root_ns port basically makes no guarantees other than that the certificates comes from the Mozilla project. CS1 maint: discouraged parameter (link)
  9. ^ Luke Faraone (5 December 2013). "CAcert should not be trusted by default". Ubuntu Launchpad Bug report logs. Retrieved 14 March 2014. CS1 maint: discouraged parameter (link)
  10. ^ Jake Edge (March 18, 2014). "Debian and CAcert".
  11. ^ Henderson, Stuart (9 April 2014). "CVS: src". openbsd-cvs (Mailing list). Retrieved 8 September 2019 – via MARC. CS1 maint: discouraged parameter (link)
  12. ^ "FS#59690 : [ca-certificates] Reconsider CAcert inclusion". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
  13. ^ "CAcert inclusion status page". Archived from the original on 2009-08-26. Retrieved 2007-01-04.
  14. ^ "Debian -- Details of package ca-cacert in sid". Retrieved 1 January 2016. CS1 maint: discouraged parameter (link)
  15. ^ Assurance Policy, section 2.3.
  16. ^ "FAQ/TechnicalQuestions - CAcert Wiki". Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)