Why and how to replace CAcert Class 1 and Class 3 roots

The main browsers do not accept certificates (including root self-signed ones) signed using the MD-5 algorithm, after 20161231. The reason is, that the MD-5 algorithm is no more considered as the safe one nowadays. This is also the reason for replacing it with the SHA256 signed CAcert root certificate.

This article describes:

  1. Why and how to replace MD-5 signed CAcert Class 1 root certificate with the SHA256 signed CAcert Class 1 root
  2. Why and how to replace intermediate CAcert Class 3 root certificate

Background

The SHA256 signed CAcert root certificate is quite equal to the MD-5 signed CAcert root one, as regards technical issues. The main differences between the SHA256 signed Class 1 root and the MD-5 signed Class 1 root are as follows:

The intermediate root SHA256 signed CAcert certificate Class 3 serial number 0A418A contains a link to the CAcert Class 1 root certificate serial # 000000 (MD-5 signed). This could lead programs, e.g. web browsers, to download the old Class 1 certificate, when assembling the certificate chain (from your certificate to the root one). Therefore, it is also advisable to replace the Class 3 certificate. The differences follows:

20190410: the SHA256 signed root certificates, both Class 1 and Class 3, were placed to the CAcert operating server (http://www.cacert.org/index.php?id=3). Their filenames for download are: root_X0F (Class 1 root) and class3_X0E (intermediate Class 3 root). The hex. number following "X" is the unique serial number of the certificate, thus 00000F and 00000E, respectively. CAcert users are advised to substitute both older certificates (with serial numbers 000000 and 0A418A) with these new ones according to the following instructions.

20210512: the Intermediate Class 3 root will expire 20210520. The certificate was renewed and distributed. The filename for download is class3.crt, you can find it on this page as class3_X14E228.crt, as its serial number is 14E228 (hex). CAcert users are strongly recommended to substitute it. In this case, it is better first to delete the old certificate, and then install the renewed one.

So the background for the renewed Intermediate Class 3 root will slightly differ:

The procedure for installing the renewed Intermediate Class 3 root

Windows 10 and apps under it

In brief: the replacing is simple and was tested with Windows 10 system, XCA utility, Thunderbird email client, and browsers Firefox (needs restart afterwards), Basilisk, Palemoon, Seamonkey - other like Edge, Chrome etc. take certs from the Windows system.

  1. Download from the page http://www.cacert.org/index.php?id=3 (or possibly FAQ/NewRoots) and save both SHA256 signed CAcert root files. Select the format your system or browser can use. (.crt is widely used.)

  2. First, delete the old Class 3 certificate (it should have the serial #0E, possibly #0A418A), then install Class 3 certificate (class3 or class3_X14E288). Import (install) the downloaded Class 3 root into your OS or browser (e.g. use the system utility, or browser embedded Certificate Manager, respectively). You need not confirm its credibility, it will come from the root. Delete all instances of the old Class 3 certificate (check their serial numbers).

  3. Some knowledges:
    • XCA - absolutely no problem, you need not to delete an old Class 3, as XCA replaces it at import of the new one.
    • Windows 10 OS - no problem, use the mmc-Certificates module.
    • Firefox - delete, then import, then restart browser.
    • Basilisk and Palemoon are clones of Firefox. Do the same as with Firefox, except that restart is unnecessary.
    • Seamonkey - delete the old Class 3, then import the new one. - The old one may reappear along the new one; if so, delete the old one again.

Linux (Ubuntu clone)

  1. Download Class 3 root file as described above
  2. Import it into browsers. It seems that every browser and Thunderbird client have its own certificate repository. As described above, first delete the old Class 3 root.
  3. Some knowledges:
    • Firefox & Chromium browsers, Thunderbird client - no problems.

    • Palemoon: To be able to manipulate with certs you have to (in Help menu) switch to Secure mode. After you confirm the switching, no further problem arise. Only that the old deleted class3 certs are back after you import the renewed one. So, delete them once more.

Android 10

Android (v.10) is able to install *.crt files. Thus, under "Settings - Security - Advanced - Encrypt & credentials - Trusted Credentials - User" delete former Class 3 root, then go one level up and under "Installation from SD card" select the downloaded file class3.crt or class3_!x14E228.crt (not necessarily from SD card), and install it.

For older (version under about 5) Android systems will be the Class 3 root prepared here.

The procedure for both roots (an old text)

In brief: the replacement is possible, simple, and makes no problem both to OSes and to browsers. The process of the replacement is totally straightforward as 1-2-3:

  1. Download from the page http://www.cacert.org/class3.crt (later: http://www.cacert.org/index.php?id=3 (or possibly FAQ/NewRoots) and save the file. Select the format your system or browser can use. (.crt is widely used.)

  2. Import (install) the downloaded roots into your OS or browser (e.g. use the system utility, or browser embedded Certificate Manager, respectively). Install the Class 1 certificate (root_X0F) and confirm its credibility. Then install Class 3 certificate (class3_X0E).
  3. Delete the former MD-5 signed CAcert Class 1 root. Check its serial number 000000 before.
  4. Delete also the former Class 3 intermediate CAcert root. Check its serial number 0A418A before.

It has been proven that the replace procedure makes no harm.

There is no need to change or reinstall any CAcert issued certificate, as those already are SHA256 signed. Systems (Linux, Windows) and browsers (Firefox) are still able to create certificate chains needed.

The procedure, if roots were installed by the MSI package for MS Windows

Windows installation packages have been discontinued. These packages are no longer maintained !

If you have installed CAcert roots using the MSI package (available from the page http://www.cacert.org/index.php?id=3), you have to deinstall them first using the same package CAcert_Root_Certificates.msi (or the new one, CAcert_Root_Certificates_X0F_X14E228.msi). If you don't remember the procedure of the former installation, run the package (with X0F_X14E228 in its name). If three standard possibilities appear (buttons Change, Repair, Uninstall), press Uninstall. If the error dialog box appears (with no text, buttons Yes/No), press Yes.

You can also manually uninstall the root and intermediate certificates, then search for the following Registry key:

and if it exists, delete it.

After uninstallation is done, run the new package CAcert_Root_Certificates_X0F_X14E228.msi, confirm the license agreement, and install the roots. Again, if the dialog box "Error" appears, press Yes.

The procedure for the Kleopatra in Linux

The Kleopatra program deletes the root certificate with the whole certificate string. Thus, it does not allow the direct substitution of the old root certificate. You need to follow this procedure:

  1. Export all the certificates, issued to you, to files of type <hash>.pem

  2. Delete the CAcert root certificate (MD-5 signed). That way you also delete all the certificate string, i. e. the CAcert Class3 certificate and all your certificates (you have backups from the step 1).
  3. Import the CAcert root certificate CAcert Class1 SHA256 signed with serial number 0F (root_X0F.crt), and set it trustworthy.
  4. Import the CAcert intermediate Class3 certificate (class3_x14E228.crt).
  5. Import all the certificates issued to you, which you have exported in the step 1.

The similar procedure for installing the new Class 3 Root:

  1. Export all the certificates, issued to you, to files of type <hash>.pem

  2. Delete the CAcert intermediate Class 3 root certificate with the serial number 0E. At the same time, the entire chain of certificates below it will be deleted, ie all your certificates whose backups you have from the first step.
  3. Import the CAcert intermediate Class3 certificate with the serial number 14E228 (from the file named class3.crt, CAcert_Class3Root_x14E228.crt or class3_X14E228.crt)

  4. Import all the certificates issued to you, which you have exported in the step 1.

Certificates issued (signed) directly by a Class 1 root certificate will not be affected by renewal of the Class 3 certificate.


HowTo/ReplaceCAcertRootCertificate (last edited 2021-07-14 09:16:16 by AlesKastner)