This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
|Founded||24 July 2003|
CAcert.org is a community-driven certificate authority that issues free X.509 public key certificates. CAcert.org heavily relies on automation and therefore issues only Domain-validated certificates (and not Extended validation or Organization Validation certificates).
CAcert Inc. Association
Certificate Trust status
A disadvantage of CAcert.org is, that its root certificates are not included in the most widely deployed certificate stores and it has to be added by its customers. As of 2021, most browsers, email clients, and operating systems don't automatically trust certificates issued by CAcert. Thus, users receive an "untrusted certificate" warning upon trying to view a website providing X.509 certificate issued by CAcert, or view emails authenticated with CAcert certificates in Microsoft Outlook, Mozilla Thunderbird etc.,. CAcert uses its own certificate on its website.
Discussion for inclusion of CAcert root certificate in Mozilla Application Suite and Mozilla Firefox started in 2004. Mozilla had no CA certificate policy at the time. Eventually, Mozilla developed a policy which required CAcert to improve their management system and conduct audits. In April 2007, CAcert formally withdrew its application for inclusion in Mozilla root program. At the same time, the CA/Browser Forum was established to facilitate communication among browser vendors and Certificate Authorities. Mozilla's advice was incorporated into "Baseline Requirements" used by most major browser vendors. Progress toward meeting Mozilla and "Baseline Requirements" requirements and a new request for inclusion can hardly be expected in the near future.
FreeBSD included CAcert's root certificate but removed it in 2008, following Mozilla's policy. In 2014, CAcert was removed from Ubuntu, Debian, and OpenBSD root stores. In 2018, CAcert was removed from Arch Linux.
As of Feb 2022, the following operating systems or distributions include the CAcert root certificate by default:
- Arch Linux
- Ark Linux
- Gentoo (app-misc/ca-certificates only when USE flag cacert is set, defaults OFF from version 20161126.96.36.199-r2 )
- Mandriva Linux
- MirOS BSD
- Replicant (Android)
As of 2021, the following operating systems or distributions have an optional package with the CAcert root certificate:
Web of trust
To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities.  CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".
Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge—verify other users; more assurance points allow the Assurer to assign more assurance points to others.
As of 2021, CAcert's web of trust has over 380,000 verified users.
Root certificate descriptions
Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.
- Smith, Curtis (25 September 2006). Pro Open Source Mail: building an enterprise mail solution. Berkeley, Calif.: Apress. p. 132. ISBN 978-1-59059-598-5. OCLC 255341703.
- Herong, Yang (2020). PKI Tutorials - Herong's Tutorial Examples. Durham, NC.
- "FAQ/AboutUs - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.
- "CAcertInc - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.
- "NLnet; Teus Hagen". nlnet.nl. Retrieved September 24, 2019.
- Oppliger, Rolf (2014). Secure Messaging on the Internet. Boston/London: Artech House. p. 171. ISBN 978-1-60807718-2. OCLC 9227277768.
- Turnbull, James; Matotek, Dennis; Lieverdink, Peter (2009). Pro Linux System Administration. Apress. p. 474. ISBN 978-1-43021913-2.
- "215243 - CAcert root cert inclusion into browser". bugzilla.mozilla.org. Retrieved September 24, 2019.
- FreeBSD Security Officer (29 June 2008). "ca-roots". FreshPorts. Retrieved 16 December 2013.
The ca_root_ns port basically makes no guarantees other than that the certificates comes from the Mozilla project.
- Luke Faraone (5 December 2013). "CAcert should not be trusted by default". Ubuntu Launchpad Bug report logs. Retrieved 14 March 2014.
- Jake Edge (March 18, 2014). "Debian and CAcert". LWN.net.
- Henderson, Stuart (9 April 2014). "CVS: cvs.openbsd.org: src". openbsd-cvs (Mailing list). Retrieved 8 September 2019 – via MARC.
- "FS#59690 : [ca-certificates] Reconsider CAcert inclusion". bugs.archlinux.org. Retrieved September 24, 2019.
- "CAcert inclusion status page". cacert.org. Archived from the original on 2021-05-08. Retrieved 2021-04-24.
- "Debian -- Details of package ca-cacert in sid". Retrieved 1 January 2016.
- Butcher, Matt (2007). Mastering OpenLDAP: Configuring, Securing, and Integrating Directory Services. Birmingham, UK: Packt Publishing. ISBN 978-1-84719103-8. OCLC 488331349.
- Burns, Bryan; Killion, Dave; Beauchesne, Nicolas (2007). Security Power Tools. O'Reilly Media. p. 512. ISBN 978-059655481-1.
- Assurance Policy, section 2.3.
- "Welcome to CAcert.org". www.cacert.org. Archived from the original on 2005-02-04. Retrieved April 24, 2021.
- "FAQ/TechnicalQuestions - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.