This night at 0:35 UTC our monitoring sent an alert that www.cacert.org is not reachable. Our volunteers had a look at the system and discovered that we have some issues on the system. Two two volunteer system engineers started checking what can be done remotely. That means that www.cacert.org is offline/unusable until further notice. If they need to travel to the data centre, this will take more time.
The good news is that only the website is affected and most services remain available without restriction, as the overview below shows:
If you are happy with the work done by our support volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0 (Graubündner Kantonalbank)
WordPress has been the easiest and most popular way to create your own website or blog (like this one) for many years. In fact, WordPress is used for more than 40% of all websites on the internet.
On a slightly more technical level, WordPress is an open source content management system licensed under the GPLv2. This means that anyone can use or modify the WordPress software for free. It is a tool that allows you to easily manage your website without having to know anything about programming. WordPress makes creating a website accessible to anyone – even people who aren’t developers.
So it’s only natural that we at CAcert now go one step further: Using WordPress without passwords that have to be stored somewhere in the background and can be stolen, but simply using CAcert OpenID Connect for WordPress. An illustrated guide will help you configure WordPress as an OpenID Connect Client with CAcert. Following these steps will allow you to configure OpenID Connect Single Sign-On which will allow your users to log in to your WordPress site using their CAcert credentials.
If you are happy with the new functions of CAcert OpenID Connect for WordPress, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
P.S. If your CMS is neither WordPress, Drupal, nor Nextcloud, please get in touch with our project team. It would be happy to create together with you an other CAcert OpenID Connect access that fits your needs.
More and more people have access to the internet. These people spend an increasing amount of time on the web. On the web are many websites on which the user has to authenticate itself; in many cases with a username and password combination. Using the same combination on every site is unwise. This is where Single Sign On (SSO) gets into the picture.
SSO allows users to use a single account on one site to gain access to multiple other websites. Even in the scenario of SSO there are still some pitfalls in using a username and password combination. An attacker has several options to gain access to the account. Using a certificate from a Certificate Authority (CA) based on the Public Key Infrastructure (PKI) would following Barthold Derlagen and Onno Berfelo resolve the security issues of logon credentials.
OpenID is an open standard, it is open source. OpenID is decentralized which means that authentication does not need to take place on the site that offers the service. Within OpenID there are three parties, the User, Identity Provider (IdP) and Relaying Party (RP). The IdP provides the user with an identity and an identifier. The user can provide his identifier to the RP. The RP will then redirect the user to the IdP. The user will authenticate himself to the IdP. The IdP redirects the user back to the RP. The RP then accepts that the user has identified himself. The only thing, OpenID could have, are trust problems. On this point comes CAcert into the game.
CAcert is not unlike a common CA. It does, however, use a Web of Trust to verify the identy of their users. CAcert has assurers which are users with 100 or more assurance points who have successfully taken an assurer test. The assurer can then grant the user points. Once a user has 50 or more points he is deemed assured which will unlock various options in generating certificates.
While Barthold Derlagen and Onno Berfelo proved in a master’s thesis (“How to use the CAcert infrastructure within an OpenID context?”) that CAcert certificates could be used for SSO with OpenID, a project group of volunteers from the CAcert community has implemented exactly that – with OpenID Connect. The new CAcert SSO with OpenID Connect is currently available for Drupal, WordPress and Nextcloud. Interested? Then read more about this in our wiki or download the illustrated manuals.
If you are happy with the new functions of CAcert OpenID Connect, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
P.S. If your CMS is missing, please get in touch with our project team. It would be happy to create together with you an other CAcert OpenID Connect access that fits your needs.
Nextcloud is free software for storing data (e.g. files, calendars, contacts, etc.) on a server. The user can access the data both via the web and with client applications. This enables a centralised and consistent database from many end devices and optional sharing with other users.
In addition to data storage, Nextcloud offers functionalities for video conferencing and various office applications via the web interface.
Using passwords is just annoying and not very secure. Now it’s much easier and even more secure: with CAcert OpenID Connect for Nextcloud, you simply log in with your certificate. Welcome to the future!
You can find out exactly how this works and how easy it is to activate in the illustrated guide for CAcert OpenID Connect for Nextcloud right here in the wiki: https://wiki.cacert.org/CAcertOpenIDConnect (no credit card, no e-mail-address, just download)
If you are happy with the new functions of CAcert OpenID Connect for Nextcloud, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
At the end of June, the financial year 2024/2025 ended and in a couple of weeks will be the annual General Meeting at October 25th. For transparency, we publish here an overview, how we spent money. In fact, our servers need some electricity to create free certificates. This monthly bills are paid as well as the about 2000€ for the rack in the data centre by your generous dontations.
If you are happy with your free CAcert Certificate, and the work done by our volunteers to run this service, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
On 28 September, the Swiss will vote on the introduction of a digital identity card (e-ID). The proposal gives users the greatest possible control: personal data remains on the user’s phone. Neither the state nor private companies can track the use of the e-ID. And users decide for themselves with whom they share which information.
The example of pornography websites shows what this could mean in concrete terms. Today, children and young people can access these sites by clicking on ‘I am over 18’, even though pornography portals in Switzerland are actually required to block young people under the age of 16. In a future with e-ID, it would be possible to carry out age checks that protect privacy: Thanks to the e-ID, anyone who wants to visit the site does not have to reveal their name or date of birth. It is sufficient to disclose that the user is over 16.
The e-ID thus protects young people as well as the privacy of all users. To prevent the system from being exploited, the federal government maintains a register of companies that request too much information from the e-ID. If, for example, the pornography site wanted to register the name or date of birth of its users, users could report the site. The E-ID app would then warn other users about this website. At least, that is what the authorities hope.
No honey pot of data
The approach is clever. Nevertheless, when it comes to digitisation projects, no programme code in the world is 100% secure. The developers currently working on the e-ID code are well aware of this. They have therefore built a system without a central register – meaning there is nothing worth hacking.
To further increase the cyber security of the e-ID, the federal government has also published the programme code and launched a competition: anyone who reports a vulnerability will receive a reward. The 120 developers at the federal government want to harness the collective intelligence of the developer community.
Initial independent analyses of the programme code have shown that the programme actually does what the legal text promises. No more and no less. The code is not yet complete, and important components are still missing. But experts expect progress to be made soon. There is still time until the earliest possible introduction date in the third quarter of 2026.
One can say yes to the introduction of the e-ID, but no to its disproportionate use. Of course, no one wants to have to identify themselves with a government ID at every corner of the internet. We still need digital spaces where we can comment on political issues disguised as Mickey Mouse. Controversial opinions must also be able to be published and debated. This freedom must be defended.
Of course, CAcert is 2025 also at some conferences. After two days in Elsene near Brussels at FOSDEM in early february, you can get in touch with us:
8.-11. Aug 2025 Oudkarspel, Netherlands WHY CAMP 2025 (sold out)
16.-17. Aug 2025 St. Augustin (Köln-Bonn) FrOSCon 2025 (free entrance)
It is really a good idea to see and test the new CAcert OpenID Connect on your own! Come and join us.
If you are happy with the new functions of CAcert OpenID Connect, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
OpenID Connect (OIDC) was developed by the OpenID Foundation as an authentication protocol that verifies a user’s identity when they attempt to access a protected site. CAcert now offers a way to both authenticate and authorise Drupal with OIDC. This allows users of one of the best known and most widely used open source content management systems (CMS), used by some of the largest websites such as The Economist or the White House, to be used for single sign-on (SSO) and offers the benefits of a single login for multiple sites.
This Guide will help you configure your Drupal sites and other applications as an OpenID Connect Client with CAcert. Following these steps will allow you to configure OIDC SSO which will allow your users to log in to your Drupal site using their CAcert credentials.
If you are happy with the new functions of CAcert OpenID Connect for Drupal, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
Report from our support team about their work since the beginning of the year: The support team has deleted
deleted 47 accounts
restored 1 password
solved 11 problems. This involved the following: Error message due to root certificate not installed, new e-mail address stored, certificate creation without <keygen> and the certificate format.
Support also receives between twenty and thirty unwanted e-mails every day, and more at weekends. However, these are sorted out semi-automatically.
If you are happy with the work done by our support volunteers, please consider to travel with us or to donate:
DEUTSCH: Bericht unserer Heinzelmännchen vom Support über ihre Arbeit seit Anfang Jahr: Der Support hat seit Anfang Jahr
47 Konten gelöscht (auf Wunsch)
1 Passwort wiederhergestellt
11 Probleme gelöst. Dabei ging es um folgendes: Fehlermeldung wegen nicht installiertem Wurzelzertifikat, neue e-Mail-Adresse hinterlegt, Zertifikaterstellung ohne <keygen> und das Zertifikatformat.
Support bekommt ausserdem jeden Tag zwischen zwanzig und dreissig unerwünschte e-Mails, an Wochenenden jeweils mehr. Diese werden jedoch semiautomatisiert ausgesondert.
To join this great team yourself, simply write to secretary@c.o. We offer a thorough induction programme with an experienced support engineer. Work from home possible in a workload of your choice. English (reading and writing); other languages an advantage.
Novice users need to download & install CAcert roots. It must be done using HTTP (http://www.cacert.org/index.php?id=3). But the HTTP protocol is considered as unsafe nowadays. Moreover, some leading browsers offer the function “HTTPS-only”.
The websites Blog & Wiki are planned to be equipped with LetsEncrypt to make their visits easier. Both CAcert roots are already prepared as simple certs and bundles, for systems Windows / Unix / Linux / Android / Mac, on the wiki page https://wiki.cacert.org/FAQ/NewRoots.
