Long before the “letsencrypt” initiative, we already had another free and open Certificate Authority, called CACert.org. CACert is community driven, and uses ‘assurers’ who personally verify users’ identities, thereby building a “web of trust”. Unfortunately, the big players on the Internet (Google, Mozilla, Microsoft) have always refused to accept and incorporate the CACert root certificate into their browsers. Instead, after many years of imploring these companies to add CACert as a trusted Certificate Authority without any success, they spat in the face of the community and launched their own alternative for free SSL certificates: letsencrypt.
And therefore, even today, a site that uses a CACert-issued SSL certificate is flagged by browsers as untrustworthy. In my opinion. this refusal to accept a community-driven security initiative is nothing short of bullying.
My own server, bear.alienbase.nl, uses a CACert-issued certificate. Folks, it is secure to use https on it! Even when Chrome or Firefox says it is not. So, how to fix that bogus warning message?
For Firefox, Chrome and for the OS in general: import the CACert certificates as follows:
First add the CACert root and class3 certificates to your Linux system.
As the root user you download the two .crt files, copy them to /etc/ssl/certs and generate openssl hashes (I used backslashes to indicate that some lines are wrapping because the text would otherwise not be visible on this page):
# cd /tmp # mkdir CACert # cd CACert/ # wget -O cacert-root.crt http://www.cacert.org/certs/root.crt # wget -O cacert-class3.crt http://www.cacert.org/certs/class3.crt # cp -ia cacert-*.crt /etc/ssl/certs/ # cd /etc/ssl/certs/ # ln -s cacert-root.crt \ `openssl x509 -noout -hash -in cacert-root.crt`.0 # ln -s cacert-class3.crt \ `openssl x509 -noout -hash -in cacert-class3.crt`.0
To make your browsers support CaCert they need to import their root and class3 certficates first. I will focus on Firefox and Chromium (instructions will work for Pale Moon and Chrome as well).
First the Firefox or Pale Moon browser. Open the page http://www.cacert.org/index.php?id=3
- Click on the link for “Class 1 PKI Key” called “Root Certificate (DER Format)“. You will see the text “You have been asked to trust a new Certificate Authority (CA). Do you want to trust ‘CA Cert Signing Authority’ for the following purposes?“. At a minimum you must check the box to the left of “Trust this CA to identify web sites” before importing the certificate.
- Then do the same for the “Class 3 PKI Key” called “Intermediate Certificate (DER Format)” a bit lower on the page.
Next, Chrome/Chromium. To add the CACert root and class3 certificates to your Chromium browser do the following as your regular user account (see also http://wiki.cacert.org/FAQ/BrowserClients#Linux)
$ cd /tmp/CACert/ $ certutil -d sql:$HOME/.pki/nssdb \ -A -t TC -n "CAcert.org" -i cacert-root.crt $ certutil -d sql:$HOME/.pki/nssdb \ -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
And you’ll end up with a trusted site next time you visit my ‘bear’ server: