Tag Archives: Root Re-Signing

Re-signed Class-3-Certificate – take action now!

English | Deutsch | Français | Español | Fingerprints

English | We already reported here in January that our Class 3 certificate is being re-signed. This was done a few weeks ago in our data centre in the Netherlands and subsequently tested extensively by our volunteers.

The new Class 3 certificate can now be downloaded here. In some days we will update the fingerprints and publish the other formats here. We recommend that all users use the new Class 3 certificate immediately, as the old certificate is approaching its expiry date and will no longer be valid after May 20th. Download the new certificate today and install it in your browser, e-mail program or certificate server as required.

All this exciting work (planning, re-signing, testing, communication) was done by volunteers from the CAcert community. They have acquired a lot of expertise over time and have worked their way up in the community. CAcert continues to offer such opportunities to interested and committed people today.

Alles neu macht der Mai – Neuerungen bei CAcert

Deutsch | Wir haben bereits im Januar an dieser Stelle darüber berichtet, dass unser Class-3-Zertifikat neu signiert wird. Dies ist vor einigen Wochen in unserem Rechenzentrum in den Niederlanden geschehen und anschliessend ausführlich von unseren Freiwilligen getestet worden.

Das neue Class-3-Zertifiat kann jetzt hier heruntergeladen werden. In wenigen Tagen werden wir die Fingerprints als auch die anderen Formate hier an gewohnter Stelle veröffentlichen. Wir empfehlen allen Nutzern, ab sofort das neue Class-3-Zertifikat zu verwenden, da das alte Zertifikate seinen Ablaufdatum entgegenschreitet und dann nicht mehr gültig ist. Laden Sie heute noch das neue Zertifikat herunter und installieren Sie es je nach Bedarf in Ihrem Browser, e-Mailprogramm oder Zertifikatsserver.

Alle diese spannenden Arbeiten (Planung, neu signieren, testen, Kommunikation) wurden von Freiwilligen der CAcert-Gemeinschaft erledigt. Sie haben sich im Laufe der Zeit viel Fachwissen angeeignet und sich in der Gemeinschaft hochgearbeitet. CAcert bietet auch heute interessierten und engagierten Leuten solche Möglichkeiten.

Changez vers le nouveau certificat class 3
Français | Nous avons déjà signalé ici en janvier que notre certificat de classe 3 était en cours de re-signature. Cela a été fait il y a quelques semaines dans notre centre de données aux Pays-Bas et a ensuite été testé de manière approfondie par nos volontaires.

Le nouveau certificat de classe 3 (comme l’ancien) peut être téléchargé ici. L’empreinte digitale va être publié dans les jours à venir ici. Nous recommandons à tous les utilisateurs d’utiliser le nouveau certificat de classe 3 à partir de maintenant, car l’ancien certificat approche de sa date d’expiration et ne sera plus valide. Téléchargez le nouveau certificat aujourd’hui et installez-le dans votre navigateur, votre programme de messagerie ou votre serveur de certificats, selon vos besoins.

Tout ce travail passionnant (planification, re-signature, tests, communication) a été réalisé par des bénévoles de la communauté CAcert. Ils ont acquis une grande expertise au fil du temps et ont gravi les échelons au sein de la communauté. CAcert continue aujourd’hui à offrir de telles opportunités aux personnes intéressées et engagées.

Español | Hace unas semanas, nuestro certificado de clase 3 se volvió a firmar en nuestro centro de datos de los Países Bajos y, a continuación, nuestros voluntarios lo probaron exhaustivamente. El nuevo certificado de clase 3 puede descargarse aquí. La huella dactilar y los demás formatos estarán disponibles en los próximos días aquí. Recomendamos a todos los usuarios que utilicen el nuevo certificado de clase 3 a partir de ahora, ya que el antiguo dejará de ser válido en breve. Instale el nuevo certificado de clase 3 hoy mismo.

Todo este apasionante trabajo ha sido realizado por voluntarios de la comunidad CAcert. CAcert ofrece interesantes oportunidades a las personas interesadas y dedicadas.

Fingerprints | SHA1 Fingerprint = D8:A8:3A:64:11:7F:FD:21:94:FE:E1:98:3D:D2:5C:7B:32:A8:FF:C8
SHA256 Fingerprint = 1B:C5:A6:1A:2C:0C:01:32:C5:2B:28:4F:3D:A0:D8:DA:CF:71:7A:0F:6C:1D:DF:81:D8:0B:36:EE:E4:44:28:69

New Class 3 certificate expected for May

Question of a member of the community: The Class3 certificate is set to expire this year in May. What do I need to do with:
a) My existing certificates that were signed against the Class 3
b) Installation of the new Class3 and when will that happen?

Answer from our volunteer critical system administrator: Thank you for this question. We started the resigning procedure already last year. We plan to use the same private key for the new class-3-certificate, so the old certificates will remain valid.

As the resigning needs to be done in the data centre in the Netherlands, this is planned for February/March – depending on the pandemic situation. So there will be enough time to replace the Class-3-Root in your configuration (Certificate-Chain) or your Browsers.

Deutsch: Die Planung, um das Class-3-Zertifikat neu zu signieren wurden bereits im letzten Jahr aufgenommen. Der Zeitplan ist grosszügig, dass die Arbeiten unserer Freiwilligen vor Mai abgeschlossen sein werden.

Français: Le projet de re-signer le certificat de la classe 3 a été lancé l’année dernière. Le calendrier est généreux, le travail de nos volontaires sera terminé avant le mois de mai.

Español: La planificación para volver a firmar el certificado de la clase 3 comenzó el año pasado. El programa es generoso, el trabajo de nuestros voluntarios se completará antes de mayo.

Português: O planejamento para assinar novamente o certificado de Classe 3 começou no ano passado. O cronograma é generoso, pois o trabalho de nossos voluntários será concluído antes de maio.

CAcert renewed root certificates

CAcert has finally upgraded the Root and Class 3 certificates from the old MD5 encoding to the modern SHA-256. Your browsers will like us again! The new certificates were installed in “the usual places” on April 10th. You may go to our web site home page, https://www.cacert.org, and over on the right-hand side, three lines from the top, is “Root Certificates.” The short way to get there is https://www.cacert.org/index.php?id=3.

We would like to thank all software team members for the job they did. All teams consist of volunteers. If you want to support the work done by the Software Team, including the review, please donate to continue to run this service. Thank you.

CAcert erneuert Stammzertifikate

CAcert hat endlich die Stamm- und Class 3-Zertifikate von der alten MD5-Kodierung auf die moderne SHA-256 aktualisiert. Ihre Browser werden uns wieder mögen! Die neuen Zertifikate wurden am 10. April an “den üblichen Orten” installiert. Sie können auf unsere Homepage https://www.cacert.org gehen, und auf der rechten Seite, drei Zeilen von oben, finden Sie “Root Certificates”. Der kurze Weg dorthin ist https://www.cacert.org/index.php?id=3.v

Wir möchten uns bei allen Mitgliedern des Softwareteams für die geleistete Arbeit bedanken. Alle Teams bestehen aus Freiwilligen. Wenn Sie die Arbeit des Software-Teams, einschließlich der Überprüfung, unterstützen möchten, spenden Sie bitte, um diesen Service weiter zu betreiben. Danke.

CAcert a renouvelé ses certificats racine

CAcert a finalement mis à jour les certificats Root et Class 3 de l’ancien encodage MD5 vers le moderne SHA-256. Vos navigateurs nous apprécieront à nouveau ! Les nouveaux certificats ont été installés dans “les lieux habituels” le 10 avril. Vous pouvez vous rendre sur la page d’accueil de notre site Web, https://www.cacert.org, et sur le côté droit, à trois lignes du haut, se trouve “Root Certificates”. Le chemin le plus court pour s’y rendre est https://www.cacert.org/index.php?id=3.v

Nous aimerions remercier tous les membres de l’équipe du logiciel pour le travail qu’ils ont fait. Toutes les équipes sont composées de bénévoles. Si vous souhaitez soutenir le travail effectué par l’équipe du logiciel, y compris la révision, veuillez faire un don pour continuer à faire fonctionner ce service. Merci.

Successful Root-Re-Sign

On March 12th 2016 CAcert performed the Root Re-Signing at our data center in Ede, NL. After the initial attempt[1] had to be postponed on short notice.

The process followed the procedures that are available in the Wiki[2]/SVN[3] along with the tooling[4] used.

The re-signing was conducted by two CAcert critical administrators, a secure-u access engineer, and supervised by CAcert’s internal auditor.
Its execution has been announced on the cacert-systemlog mailing list[5]. The execution report by the critical team has been published there too[6]. The report of the auditor is published in our Wiki[7].

We want to send special thanks to all who helped in preparing and testing the procedures and tools for the process and thus made this smooth execution possible.

CAcert Inc. board tried to have the part for creation of the needed software to be held in public but was overruled by some of the involved teams.

As the re-signed root certificates are available to CAcert the next steps are to publish them to the public. This will need some time as the software team needs to prepare the code changes[8][9][10] and have them reviewed. Once this is done the publishing of the re-signed root certificates will be announced on the blog and all community members will get informed via e-mail.

[1] https://blog.cacert.org/2015/12/re-signing-root-certificate/
[2] https://wiki.cacert.org/Roots/Class1ResignProcedure
[3] https://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/implementation.txt
[4] https://github.com/CAcertOrg/cacert-procedures/tree/root-resign-sha256/rootResignSHA256
[5] https://lists.cacert.org/wws/arc/cacert-systemlog/2016-03/msg00001.html
[6] https://lists.cacert.org/wws/arc/cacert-systemlog/2016-03/msg00002.html
[7] https://wiki.cacert.org/Audit/Results/session2016.1
[8] https://bugs.cacert.org/view.php?id=1305
[9] https://bugs.cacert.org/view.php?id=1254
[10] https://bugs.cacert.org/view.php?id=1194

Re-Signing Root Certificate

On Friday, 29th January 2016, the long-planned re-signing of CAcert’s root certificate will finally take place.

This action has been overdue for quite some time now as several browser and OS vendors have dropped support for MD5-signed certificates or otherwise made such certificates unusable.

The re-signing process [1] has been tested successfully at last FrOSCon in August 2015 [2].

Attendance of the re-signing ceremony will be open to the public and will take place near CAcert’s data center in Ede, NL. As soon as more details become available we’ll provide a wiki page with the exact schedule and location.

UPDATE: Unfortunately the Re-Signing event had to be postponed due to shortage of manpower in the different teams involved in the process. The currently a new date is being searched. As soon as the new date is available it will be announced here.

[1] https://wiki.cacert.org/Roots/Class1ResignProcedure
[2] https://wiki.cacert.org/Audit/Results/session2015.4

Successful process tests of New Root and Escrow and Class 1 Root resigning

On Sunday at FrOSCon 10 CAcert successfully tested the New Root and Escrow (NRE) process and performed a test run of the long expected Class 1 Resigning.

Members of the software team, the critical admins, the NRE team, and the internal auditor met in a session, which was open to the public, to test these long prepared tasks.

The process started with checking that the needed hardware was running and was setup up according to the process definition. In a first step the defined tasks were then executed manually to proof that the procedures produces the desired results. In a second step the manual tasks were automated where possible and the script was tested and checked according to the process definition.

The results show the expected outcome.

The internal auditor was pleased with the good and professional preparation of the test and the successful outcome. The new root keys created during the NRE test will be used for a test server based on Gigi and Cassiopeia.

Related Information: