Finally: Create a Client Certificate in the Browser

Since Google and Mozilla have removed the <keygen> element we use from the HTML standard and from their browsers, we have endeavoured to provide a valid replacement so that client certificates can once again be created so easily that even my grandmother could do it.

Finding a solution was not easy; other CAs were also sweating bullets here. The solution that we have been offering for some time now was initially somewhat hidden, but has since been prominently linked as the seventh service on our community portal community.cacert.org.

Both the new solution and the community portal are the result of the tireless work of a small group of volunteers. As a small thank you, you can make their work easier by not having to worry about CAcert’s operating costs. Donation account CAcert: IBAN CH02 0077 4010 3947 4420 0 or with bank or credit card.

Visit at the Datacenter on 2024-02-02

Today we visited the datacenter again to return the newly installed backup machine webdb2 and verify some settings on the signer machines.

While we were onsite, we updated neary all critical machines (including our main firewall), which caused outages of some minutes of our services.

After all updates were done we ran some tests including issuing Class1 and Class3-certifcates (client and server). A minor isse with crl-server (not running the rsync-service) was corrected afterwards remotely.

Both signers are now communicating with their webdb-servers. In the next days we’ll set up an automatic backup of webdb1 to webdb2 so webdb2 can fully replace webdb1 in case of a failure, which could not be corrected remoted.

Client certificate login temporarily not possible

Today we had been informed about an issue with client certificates issued on or after December 20, 2023 being used for login to www.cacert.org.

We did immediately switched off the login to www.CAcert.org for investigation.

We just activated the Username/Password-Login again, but keep the certificate login closed until the issue is resolved.

We will give an update with more details and plan to active certificate login again as soon as the issue is fixed.

I cannot create or renew my certificate, because it hangs ||| Help – Hilfe – au secours – aiuto

A typical message from an user: “Certificate renewal in state ‘pending’ for days. How to remove/renew then?”

Don’t worry, there is a solution (and the reason is independent from CAcert). Please follow the steps as described in the wiki: https://wiki.cacert.org/FAQ/CertCreationRenewalStucks

Deutsch: Wenn die Zertifikatserneuerung in der Endlosschleife endet: Es gibt eine Lösung: https://wiki.cacert.org/FAQ/CertCreationRenewalStucks/DE

Français: Si le renouvellement de certificats dure des heures, voir des jours: voici la solution: https://wiki.cacert.org/FAQ/CertCreationRenewalStucks/FR

català | castellano | ?esky | español | italiano | ??? | nederlands | polski | português | ??????? | svenska | ??????????

Donations ??? Spenden

Fortunately, there are always users of our services who show their appreciation and contribute to the operating costs. There are various ways to do this, which we would like to point out once again – above all, that sometimes things change over time.

  • Bank transfer: This is our treasurer’s preference. The money is immediately where it belongs: in the safe of a solid bank. There are banks that charge indecently high fees for bank transfers. Is that the case with your bank? Or do you live in a country without SEPA/IBAN? Then there is an alternative:
  • In that case, follow one of the four QR codes. They will take you to Conotoxia. There you can pay with the usual bank cards and credit cards without having to open an account. The money also comes to us. The service is based in the EU and is regulated accordingly.
  • Paypal is not an alternative. The links repeatedly don’t work and if Paypal considers small donations to be money laundering or terrorist financing, it is blocked for months. We have already contacted the financial supervisory authority of the relevant tax haven.
CAcert Inc
CH-7514 Sils/Segl
IBAN: CH02 0077 4010 3947 4420 0
Graubündner Kantonalbank, Chur
Clearing 774
BIC (SWIFT) GRKBCH2270A

50 EUR

100 EUR

20 EUR

10 EUR

DEUTSCH Es gibt glücklicherweise immer wieder Nutzer unserer Dienste, welche sich erkenntlich zeigen und sich an den Betriebskosten beteiligen. Dazu gibt es verschiedene Möglichkeiten, die wir gerne noch einma aufzeigen – vor allem auch, das sich im Laufe der Zeit auch manchmal etwas ändert.

  • Banküberweisung: Das hat unser Kassier am liebsten. Das Geld ist sofort, dort wo es hingehört: im Tresor einer soliden Bank.
    Es gibt Banken, welche für Überweisungen unanständig hohe Gebühren verlangen. Ist das bei deiner Hausbank der Fall? Oder wohnst du in einem Land ohne SEPA/IBAN? Dann gibt es eine Alternative:
  • In dem Fall, folge einem der vier QR-Codes. Sie führen zu Conotoxia. Dort kannst du mit den üblichen Bankkarten und Kreditkarten bezahlen, ohne eine Konto eröffnen zu müssen. Das Geld kommt auch zu uns. Der Dienst ist in der EU angesiedelt und entsprechend reguliert.
  • Keine Alternative ist Paypal. Die Verknüpfungen funktionieren immer wieder nicht und wenn Paypal Kleinspenden als Geldwäscherei ansieht oder Terrorfinanzierung, wird es über Monate blockiert. Wir haben bereits mit der Finanzaufsicht der zuständigen Steueroase Kontakt aufgenommen.

FRANÇAIS Il y a heureusement toujours des utilisateurs de nos services qui se montrent reconnaissants et participent aux frais d’exploitation. Il existe différentes possibilités que nous aimerions vous présenter, surtout parce que les choses changent parfois au fil du temps.

  • Virement bancaire: c’est ce que notre caissier préfère. L’argent est immédiatement là où il doit être: dans le coffre d’une banque solide. Il existe des banques qui facturent des frais indécents pour les virements. Est-ce le cas de ta banque habituelle? Ou tu habites dans un pays sans SEPA/IBAN? Dans ce cas, il existe une alternative:
  • Dans ce cas, suis l’un des quatre codes QR. Ils mènent à Conotoxia. Tu peux y payer avec les cartes bancaires et les cartes de crédit habituelles, sans devoir ouvrir un compte. L’argent arrive aussi chez nous. Le service est basé dans l’UE et réglementé en conséquence.
  • Paypal n’est pas une alternative. Les liens ne fonctionnent toujours pas et si Paypal considère les petits dons comme du blanchiment d’argent ou du financement du terrorisme, il est bloqué pendant des mois. Nous avons déjà pris contact avec l’autorité de surveillance financière du paradis fiscal concerné.

Merry CAcertmas!

Dear friends and members of the CAcert community. Are you curious and want to know what is wrapped in the package under the tree? This year, Father Christmas has packed something really nice.

As always with CAcert, you can unwrap it faster and enjoy it more quickly if you help out a little. Translate a little. Or do a little programming. Or test a few new functions. Or like this. To do so, you find further information on the web or write to our secretary.

CAcert Services mostly running again

In Wednesday another visit at the datacenter took place, where we installed the updated webdb1-machine to the rack.

There are still some minor issues left (e.g. language selection for main website, automatic mails), which will be activated again remotely withins the next days.

This time the available time on critical teams site was blocked by some investigation issues (e.g.: What caused the outage, why did the internal routines and raid did not work) and non CAcert-related issues (as we all have a family and job, which are time-consuming as well) and and outage of usable internet-connection on critical teams site.

Naming this: If you’re living next to or in Netherlands and want to give us a helping hand for infrastructure and (possible) critical team feel free to contact us via support.

New board allready started

On 7 December, the committee of CAcert Inc (also known as “board”) was constituted as follows:

  • President – Brian McCullough
  • Vice president – Kim Nilsson
  • Treasurer – Frédéric Grither
  • Secretary – Étienne Ruedin
  • Board members – Aleš Kastner, Frédéric Dumas

Two weeks earlier, the board had already discussed organisational issues in depth at a closed meeting. It is aware that collaboration via virtual channels does not only bring advantages. In order to meet these high demands in the future, the committee will continue to address these issues in the coming weeks. Last autumn, those responsible were introduced to the topic by a management consultant specialising in non-profit organisations, who thankfully did this pro bono.

New drive for CAcert Inc

At the Annual General Meeting 2022/2023 of our Geneva based operating association CAcert Inc on November, 11th, 2023, the members of CAcert Inc elected a new committee (also known as “board”). Some familiar faces are still involved, complemented by new blood from Bohemia. We can announce the constitution at the beginning of December.

Partially restricted operation / most services available

As a result of a chain of technical failures of old equipment already scheduled for replacement, there are currently certain limitations in the services provided to members of the CAcert community. We regret this terribly.

  • bugs.cacert.org ?Bug management: normal operation
  • community.cacert.org ?Service hub: normal operation
  • irc.cacert.org ?IRC: normal operation
  • secure.cacert.org ?reduced service
  • selfservice.cacert.org ?password reset: normal operation
  • webmail.cacert.org ?webmail: normal operation
  • wiki.cacert.org ?wiki/help centre: normal operation
  • www.cacert.org ?main page: reduced service

Mid september, we discovered that a partition contained a corrupt file system. A
subsequent hardware test showed that one of the hard drives was reporting hardware errors. In order to be able to continue using the system, we have moved this partition to a second drive.

Since the end of september the system no longer responds. We suspect that other partitions are defective. Neither web access nor SSH access work, so the only way to find the error can only be analysed in more detail by a visit to our data centre.
In order to still be able to offer as many services as possible to the CAcert community until the repair, we redirected the connections for www.cacert.org and secure.cacert.org in the incoming firewall to the second system. As a result of ongoing hardware renewal, however, this fall-back level is not quite complete: There is no working signer and no up-to-date copy of the CAcert database attached to this system.

That is, why the main page can be used as a start for informing our users about the blog for now, while certificate issuing and WoT access has to be postponed until our technical volunteers have made the several-hour trip to the data centre for troubleshooting. As they are doing this in their spare time and at their own expense, we are very grateful to these volunteers that they will probably be able to do this in mid-October.

If you would like to know what you can do yourself to ensure that such interruptions occur less frequently and are resolved more quickly, read this!

DEUTSCH: Infolge einer kaskadierten technischen Störung sind zur Zeit leider nicht alle Dienstleistungen übers Netz abrufbar. Alle Fernwartschritte haben unsere technischen Freiwilligen bereits unternommen. Bis zu einen Vororteinsatz im Rechenzentrum im Ausland voraussichtlich Mitte Oktober ist der Zugriff auf den Signer und die Datenbank nicht möglich. Wir bedauern dies sehr. Was Sie tun können, um solche Ausfallzeiten künftig zu verringern, lesen Sie hier!

FRANÇAIS: Suite à une panne technique en cascade, tous les services ne sont malheureusement pas accessibles en ligne pour le moment. Toutes les démarches de télémaintenance ont déjà été effectuées par nos volontaires techniques. L’accès au Signer et à la base de données est impossible jusqu’à une intervention sur place dans le centre de calcul à l’étranger, probablement mi-octobre. Nous le regrettons vivement. Vous pouvez lire ici ce que vous pouvez faire pour réduire ces temps d’arrêt à l’avenir!

PORTUGUÊS: Devido a uma falha técnica em cascata, infelizmente nem todos os serviços estão disponíveis pela rede no momento. Todas as medidas de manutenção remota já foram tomadas por nossos voluntários técnicos. O acesso ao signatário e ao banco de dados não será possível até uma visita no local ao centro de dados no exterior, provavelmente em meados de outubro. Lamentamos muito o ocorrido. Leia aqui o que você pode fazer para reduzir esses períodos de inatividade no futuro!

ESPAÑOL: Debido a un fallo técnico en cascada, lamentablemente no todos los servicios están disponibles actualmente a través de la red. Nuestros voluntarios técnicos ya han tomado todas las medidas de mantenimiento a distancia. El acceso al firmante y a la base de datos no será posible hasta una visita in situ al centro de datos en el extranjero, probablemente a mediados de octubre. Lo lamentamos mucho. Lea aquí lo que puede hacer para reducir estos tiempos de inactividad en el futuro.