Ĩesky | english
Contents of the Roots
Comparison between the content of the root certificates generated in 2003, 2008, 2014, 2023, and 2024 (tbd). See Roots/ContentsDiscussion for the evolving debate on all questions; see Roots/Structure for the hierarchy of all roots.
Layout
CAcert Main Root (PKI Class 1 Key, Class 1 Root)
Technical Layout
Field |
2003 |
2008 |
2014 |
2023 |
tbd |
comments |
Version |
version 3 |
Required, no problems |
||||
serialNumber |
0,1 |
2,3,4 (,5,6) |
2,3,4 (,5,6) |
F,E,& see Notes |
63(+1) bits, random |
Needs to be unique within space of DN (somewhat undefined, probably CN). same as SKID? Recent & former size is 24 bits |
subjectKeyIdentifier |
"hash" == sha1(own public key) |
non-critical extension, obligatory. See RFC 5280 for format & contents. |
||||
authorityKeyIdentifier |
"hash" == sha1(signing public key), or the signing key's sKID. |
non-critical extension, obligatory. See RFC 5280 for format & contents. |
||||
Validity |
2033 |
2038 |
2034 |
2033 |
2044 (2024+20) |
Reduced validity from 30 to 20 years to ensure cryptographic sanity |
Cryptographic algorithms |
|
|
||||
Signature Algorithm |
MD5 with RSA Encryption (1.2.840.113549.1.1.4) |
SHA-1 with RSA Encryption (1.2.840.113549.1.1.5) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-512 with RSA Encryption (1.2.840.113549.1.1.13) ??? |
|
PK Type |
MD5 with RSA Encryption (1.2.840.113549.1.1.4) |
SHA-1 with RSA Encryption (1.2.840.113549.1.1.5) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-512 with RSA Encryption (1.2.840.113549.1.1.13) ??? |
Recently issued roots expiring out to 2040 use SHA-1+RSA (???). Windows-XP does not support (roots with) SHA2 until SP3 (???) |
Size |
4096 bits |
4096 bits |
4096 bits |
4096 bits |
??? |
good for 30 years, see BlueKrypt |
Format |
PKCS1 |
standard. |
||||
Hash |
MD5 |
SHA1 |
SHA-256 |
SHA-256 |
SHA-512 ??? |
|
basicConstraints |
Critical |
Critical Basic Constraints extension. |
||||
cA |
true |
Is a Certification Authority |
||||
pathLen |
3 |
3 |
none |
3 |
Max. lenght of chain between root and leaf (optional field). Why is it "none" ? |
|
keyUsage |
keyCertSign and cRLSign only |
Critical Extension, obligatory for roots. bits 5, 6 to be set. EV-G-AppB concurs. |
||||
CRL Distribution Points |
Full Name: URI:http://crl.cacert.org/revoke.crl |
OID=1.3.6.1.4.1.3375.2.2.6.2.1.2.1.34 |
||||
Authority Information Access (AIA) |
OCSP - URI:http://ocsp.cacert.org |
OID=1.3.6.1.5.5.7.1.1; OCSP server address |
||||
Netscape CA Policy Url |
OID=2.16.840.1.113730.1.8 |
|||||
Netscape Comment |
To get your own certificate for FREE head over to http://www.cacert.org |
OID=2.16.840.1.113730.1.13 |
||||
Netscape CA Revocation Url |
URI:http://crl.cacert.org/revoke.crl |
|
CPS6.3.2 specifies 30 years for root certificates (2008 root by Y2038 bug so has 29.5 years) and 10 years for sub-root certificates. CAB Baseline Requirements for Certificates
Business Layout
Field |
Name |
2003 |
2008 |
2014 |
2023 |
tbd |
comments |
O |
Organisation |
Root CA |
Root CA |
Root CA |
Root CA |
CAcert.org - Community Certification Authority |
is standard layout, see below |
OU |
Organisational Unit |
Permission to USE |
cacert.org |
cacert.org |
cacert.org ??? |
||
CN |
Common Name |
CA Cert Signing Authority |
CAcert.org |
CA Cert Signing Authority |
CA Cert Signing Authority |
CAcert Root ??? |
|
Issuer O |
Organisation |
Root CA |
Root CA |
Root CA |
Root CA |
CAcert.org - Community Certification Authority |
self-signed CA root |
Issuer OU |
Organisational Unit |
Permission to USE |
cacert.org |
cacert.org |
cacert.org ??? |
||
Issuer CN |
Common Name |
CA Cert Signing Authority |
CAcert.org |
CA Cert Signing Authority |
CA Cert Signing Authority |
CAcert Root ??? |
|
Extensions |
(mark which critical) |
|
|||||
Certificate Policies |
Permission to USE |
this is the "preferred" field for policies. "use" document is the first and most important. Not critical. |
|||||
Subject:serialNumber (OID: 2.5.4.5) |
none |
none |
none |
none |
??? |
(Association Registration Number) INC9880170 for Sub-Roots. Not critical. |
CAcert Intermediate Root (PKI Class 3 Key, Class 3 Root, sub-root)
Technical Layout
Field |
2003 |
2008 |
2014 |
2023 |
tbd |
comments |
Version |
version 3 |
Required, no problems |
||||
serialNumber |
0,1 |
2,3,4 (,5,6) |
2,3,4 (,5,6) |
F,E, see Notes |
size 63(+1) bits, random |
Recent & former size is 24 bits |
subjectKeyIdentifier |
"hash" == sha1(own public key) |
non-critical extension, obligatory. See RFC 5280 for format & contents. |
||||
authorityKeyIdentifier |
"hash" == sha1(signing public key), or the signing key's sKID. |
non-critical extension, obligatory. See RFC 5280 for format & contents. |
||||
Validity |
2013 ? |
2021 |
2021 |
2031 |
2033 (2023+10) |
Validity 10 years to ensure cryptographic sanity |
Cryptographic algorithms |
|
|||||
Signature Algorithm |
MD5 with RSA Encryption (1.2.840.113549.1.1.4) |
SHA-1 with RSA Encryption (1.2.840.113549.1.1.5) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-512 with RSA Encryption (1.2.840.113549.1.1.13) ??? |
|
PK Type |
MD5 with RSA Encryption (1.2.840.113549.1.1.4) |
SHA-1 with RSA Encryption (1.2.840.113549.1.1.5) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-256 with RSA Encryption (1.2.840.113549.1.1.11) |
SHA-512 with RSA Encryption (1.2.840.113549.1.1.13) ??? |
Recently issued roots expiring out to 2040 use SHA-1+RSA (???). Windows-XP does not support (roots with) SHA2 until SP3 (???) |
Size |
4096 bits |
4096 bits |
4096 bits |
4096 bits |
??? |
good for 30 years, see BlueKrypt |
Format |
PKCS1 |
standard |
||||
Hash |
MD5 |
SHA1 |
SHA-256 |
SHA-256 |
SHA-512 ??? |
|
basicConstraints |
Critical |
Critical Basic Constraints extension |
||||
cA |
true |
Is a Certification Authority |
||||
pathLen |
3 |
3 |
none |
3 |
Max. length of chain between root and leaf (optional field). Why is it "none" ? |
|
keyUsage |
keyCertSign and cRLSign only |
Critical Extension, obligatory for roots. bits 5, 6 to be set. EV-G-AppB concurs. |
||||
CRL Distribution Points |
Full Name: URI:http://www.cacert.org/class3.crl |
OID=1.3.6.1.4.1.3375.2.2.6.2.1.2.1.34 |
||||
Authority Information Access (AIA) |
OID=1.3.6.1.5.5.7.1.1; (1) OCSP - URI:http://ocsp.cacert.org, (2) CA Issuers - URI:http://www.CAcert.org/<file> |
before 2023 : <file> = ca.crt (now non-existent); 2023 : ERROR, <file> should be Class 1 Root, i.e. certs/root_X0F.crt |
||||
Certificate Policies |
Policy: 1.3.6.1.4.1.18506.2.3.1; CPS: http://www.CAcert.org/cps.php |
|
CPS6.3.2 specifies 30 years for root certificates (2008 root by Y2038 bug so has 29.5 years) and 10 years for sub-root certificates. CAB Baseline Requirements for Certificates
Business Layout
Field |
Name |
2003 |
2008 |
2014 |
2023 |
tbd |
comments |
O |
Organisation |
??? |
CAcert Inc. |
CAcert Inc. |
CAcert Inc. |
CAcert.org - Community Certification Authority |
is standard layout, see below |
OU |
Organisational Unit |
Permission to USE |
cacert.org |
cacert.org |
cacert.org ??? |
||
CN |
Common Name |
??? |
CAcert Class 3 Root |
CAcert Class 3 Root |
CAcert Class 3 Root |
CAcert Class 3 Root ??? |
|
Issuer O |
Organisation |
Root CA |
Root CA |
Root CA |
Root CA |
CAcert.org - Community Certification Authority |
self-signed CA root |
Issuer OU |
Organisational Unit |
Permission to USE |
cacert.org |
cacert.org |
cacert.org ??? |
||
Issuer CN |
Common Name |
CA Cert Signing Authority |
CAcert.org |
CA Cert Signing Authority |
CA Cert Signing Authority |
CAcert Root ??? |
|
|<style="text-align: center;">Extensions |
(mark which critical) |
|
|||||
Certificate Policies |
Permission to USE |
this is the "preferred" field for policies. "use" document is the first and most important. Not critical. |
|||||
Subject:serialNumber (OID: 2.5.4.5) |
none |
none |
none |
none |
??? |
(Association Registration Number) INC9880170 for Sub-Roots. Not critical. |
Serial numbers
Serial numbers issued under the 2003 Class 1 root start out with 10 (hex). The serial numbers in the range 0 - F can be considered "reserved", and the following allocations have been made:
0 |
Class 1 Root with MD5 signature exp. 20330329 - 1st Class 1 Root |
1 |
Class 3 Root with MD5 signature (old) - 1st Class 3 Root |
F |
Class 1 Root with SHA256 signature with hash-only Authority Key Identifier (tbd) exp. 20330329 - 2nd Class 1 Root |
E |
Class 3 Root with SHA256 signature with hash-only Authority Key Identifier (tbd) exp. 20210520 - 3rd Class 3 Root |
14E228 |
Class 3 Root with SHA256 signature with hash-only Authority Key Identifier (tbd) prolonged expiration to 20310417 - 4th Class 3 Root |
Notes:
- The 2nd Class 3 Root with SHA256 signature (re-signed in 2011) has a serial number in the upper (non-reserved) range (0A:41:8A).
- Serial numbers issued under the 2003 Class 3 root start out with 2 (hex). The serial numbers 0 and 1 can be considered "reserved", and no allocations have been made for these.
- The #00000F and #00000E were used for new Class 1 (2nd) and Class 3 (3rd) resp.
- The 4th Class 3 Root with SHA256 signature (re-signed in 2018) has a serial number in the upper (non-reserved) range (14:E2:28).