You are using an outdated browser which puts all net citizens at risk. As an incentive to upgrade to a current and thus much more secure product (we recommend the free Firefox browser), you won't be able to visit this site in its cute design, but in this rather boring printer-ready version only. Thank you for considering a browser update!

Add the CAcert Root Certificate

What is CAcert?

CAcert is a non-profit certificate authority (or CA for short) where you can - once your identity is verified to a sufficient degree by the web of trusted users - issue free SSL certificates for your webservers. However, SSL certificates only work without warning messages if the root certificate of the CA which issued it are known to the client. At the time of writing this is not yet the case for mainstream clients such as Firefox. But this should change in the future as CAcert is currently undergoing a serious audit needed for inclusion into mainstream clients. Until then, here's how to add the root certificate manually.

Adding the Root Certificate

There is one crucial step when adding root certificates manually: You must be absolutely sure that the root certificate is authentic by comparing fingerprints and certificate metadata such as the owner with those posted - in this case - on the official CAcert Wiki.

Firefox 3

  1. Browse with Firefox 3 to the CAcert Wiki.
  2. Click on "Class 3 PKI Key, Intermediate Certificate (PEM Format)".
  3. Click the "View" button and verify the fingerprints and owner.
  4. Select all "Trust this CA to ..." checkboxes and click "OK".

Mac OS X 10.5.x

  1. Browse to the CAcert Wiki.
  2. Click on "Class 3 PKI Key, Intermediate Certificate (PEM Format)".
  3. Drag the certificate onto the Keychain application.
  4. Click the "View Certificates" button, then click "Details" and verify the finterprints and owner.
  5. Select "System" to install the certificate system-wide and click "OK".

Gentoo Linux

cd /etc/ssl/certs
curl >import.der
openssl sha1 import.der                         ### VERIFY THE SHA1 FINGERPRINT ###
openssl md5 import.der                          ### VERIFY THE MD5  FINGERPRINT ###
openssl x509 -text -inform der -in import.der   ### VERIFY THE OWNER            ###
openssl x509 -in import.der -inform der -out CAcert_Class_3_Root_CA.pem -outform pem
rm import.der
c_rehash .

Other Clients

See the CAcert Wiki for more.

(Sven Schwyn)


Jason Sjöbeck said on Wednesday, September 02, 2009:

thanks for the nice article. I know that the “title” of this article refers to Gentoo but the RHEL (and centOS) does not use that directory, it uses /etc/pki/



TK said on Monday, October 31, 2011:

Thanks! Good that you stress to compare the fingerprints!

(We are remaking our web presence and therefore comments are temporary disabled.)