RootKey ceremony

Today, Friday 28th of november, CAcert is creating new RootKeys for signing the certificates. This is done to comply to the audit requirements of having everything documented. Our current RootKeys are audit fail because it lacks documentation about the procedure.

The current RootKeys will NOT be revoked yet because there are thousands of certificates still relying on them.All new or renewed certificates will be signed by the new RootKeys as soon as they are operational. Some extensive testing is done in the last few months for creating, securing and implementing the RootKeys on a very high standard and open way.

The generated RootKey and two sub-root keys for assured community members (class 3) and (not assured) community members (class 1) makes use of open source tooling, certified in the past with FIPS 140-2 certificate for OpenSSL (Mar 2006).

Replacing the RootKeys is the last part of the server rehosting to the Netherlands which was done in October.

Leave a Reply