Main menu:


Please consider a small donation:



Or you can donate bitcoin:


Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank


FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.


Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 288 other subscribers

My Favourites



March 2017
« Feb    

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

RSS Slackware64-current


Adding CACert root certificates to your Slackware

Long before the “letsencrypt” initiative, we already had another free and open Certificate Authority, called CACert is community driven, and uses ‘assurers’ who personally verify users’ identities, thereby building a “web of trust”. Unfortunately, the big players on the Internet (Google, Mozilla, Microsoft) have always refused to accept and incorporate the CACert root certificate into their browsers. Instead, after many years of imploring these companies to add CACert as a trusted Certificate Authority without any success, they spat in the face of the community and launched their own alternative for free SSL certificates: letsencrypt.

And therefore, even today, a site that uses a CACert-issued SSL certificate is flagged by browsers as untrustworthy. In my opinion. this refusal to accept a community-driven security initiative is nothing short of bullying.

My own server,, uses a CACert-issued certificate. Folks, it is secure to use https on it! Even when Chrome or Firefox says it is not. So, how to fix that bogus warning message?
For Firefox, just add an exception for the SSL certificate. For Chrome and for the OS in general: import the CACert certificates as follows:

Add the CACert root and class3 certificates to your Linux system. As the root user you download the two .crt files, copy them to /etc/ssl/certs and generate openssl hashes (I used backslashes to indicate that some lines are wrapping because the text would otherwise not be visible on this page):

# cd /tmp
# mkdir CACert
# cd CACert/
# wget -O cacert-root.crt
# wget -O cacert-class3.crt
# cp -ia cacert-*.crt /etc/ssl/certs/
# cd /etc/ssl/certs/
# ln -s cacert-root.crt \
   `openssl x509 -noout -hash -in cacert-root.crt`.0
# ln -s cacert-class3.crt \
   `openssl x509 -noout -hash -in cacert-class3.crt`.0

Then add the CACert root certificate to your Chromium browser. Do the following as your regular user account in addition to the steps you just took under the root account (see also

$ cd /tmp/CACert/
$ certutil -d sql:$HOME/.pki/nssdb \
   -A -t TC -n "" -i cacert-root.crt
$ certutil -d sql:$HOME/.pki/nssdb \
   -A -t TC -n " Class 3" -i cacert-class3.crt

And you’ll end up with a trusted site next time you visit my ‘bear’ server:


Comment from Niki Kovacs
Posted: March 19, 2017 at 00:14

I remember you didn’t want to build LetsEncrypt’s Certbot client because there are so many dependencies. Last week I stumbled over an alternative client (nothing to do with “alternative facts”, eh). I didn’t try it, since I already have Certbot on my servers, but here you go.

Comment from Alexander
Posted: March 19, 2017 at 00:48

And this letsencrypt client:
is a bash script, I use it and have nothing to complain.

Comment from Geremia
Posted: March 19, 2017 at 01:42

I get:

certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

when trying to run your certutil commands.

Comment from Roy Lanek
Posted: March 19, 2017 at 08:00

Done. Nice. THX.

Comment from Mike Langdon
Posted: March 19, 2017 at 10:38

I had nearly the same result as Geremia, except it ended with invalid arguments.

Comment from Willy Sudiarto Raharjo
Posted: March 19, 2017 at 12:09

All the above commands works fine here

make sure to copy-paste from the website instead of trying to write it manually

Comment from LoneStar
Posted: March 19, 2017 at 12:41

yep, the thing with CA certs and Mozilla/Google is extremely annoying.

Just past week I’ve switched to using letsencrypt (with dehydrated script) because of the recent events with StartCom. I had paid a 2-years willdcard cert with StartCom, valid until 2018, and now it’s considered unthrustworty by the browsers because of the well known accusations.

Pingback from Links 19/3/2017: Linux Sightings, What’s Wrong With Microsoft, and Death of Docker | Techrights
Posted: March 19, 2017 at 18:24

[…] Adding CACert root certificates to your Slackware […]

Comment from Ricardo J. Barberis
Posted: March 19, 2017 at 21:07

Working fine also with Opera (the new one, based on Chrome), I just had to restart the browser.

Thanks for the instructions!

Comment from Robert Allen
Posted: March 20, 2017 at 07:49

Thanks for the overview of CACert – I had seen them in previous searches but had no clear idea of their place in the cosmos.

I too, have balked at putting certbot on my own machines – not going to happen! I have found letsencrypt-nosudo to meet my own needs perfectly:

It allows me to manage and renew all my certs from my local machine. Nothing runs on the production platforms – ever, I authenticate with temporary well-known/… files via HTTP and upload the renewed certs over ssh/sftp.

On the local machine it never runs with elevated privs and writes only to STDOUT, making no assumptions about how I want to organize everything.

Perhaps a Slackdocs article in the works…

Write a comment