CAcert – A community-driven Certificate Authority

So I was reading the Alien Pastures blog with great interest earlier and was surprised to learn that Eric Hameleers had chosen to secure his upcoming website with a certificate from CAcert. Unfortunately, certificates from CAcert are not trusted by most browsers and platforms and will either generate ominous looking warnings or be outright blocked.

What is CAcert

CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free. CAcert’s goal is to promote awareness and education on computer security through the use of encryption, specifically by providing cryptographic certificates.
Source: https://www.cacert.org/

CAcert client certificate
Accessing my account using a CAcert issued client certificate.

Getting CAcert issued certificates

To obtain certificates issued from CAcert, the process is simply as follows:

  1. Sign up with CAcert.
  2. Add your domain and confirm domain control (email verification).
  3. Generate your CSR (Certificate Signing Request) and paste it into a web form.
  4. Download and install your certificate.

This is exactly how it works with most commercial CA’s (Certificate Authorities) when issuing DV (domain validated) certificates. From a user point of view, CAcert seems to work and operate as any other CA. Additionally, I also appreciate how they let you keep track of issued and revoked domain and client certificates from your account page.

CAcert domain certificates
A view of my CAcert issued domain certificates.

Got root?

I rather enjoy CAcert and would be glad to use their services granted their root certificates were to be included with mainstream browsers and platforms. At least for my visitors, I highly doubt I could convince anyone to install the CAcert roots simply to gain access to this blog.

Additionally, any visitor refusing to install these certificates would not be able to connect to any of my domains due to the HSTS (Strict Transport Security) policy. The reason behind this is that HSTS requires any certificate to be a trusted certificate without allowing exceptions. To see this policy in action, try accessing a subdomain secured with a CAcert issued wildcard certificate at sandbox.paranoidpenguin.net.

CAcert HSTS error
Your connection to this CAcert secured domain was blocked by a HSTS policy.

If you were able to connect, your system already trusts CAcert issued certificates (are you using Arch Linux?).

Is it advisable to use CAcert ?

I think it’s fine to use them for internally hosted services, as opposed to using self-signed certificates. However, using CAcert issued certificates while enforcing HTTPS on a public website seem overly optimistic to me. Nor do I believe it’s realistic to expect that CAcert will be able to meet the industry requirements without attracting a few wealthy sponsors. Just look at the major players backing Let’s Encrypt to get a feel for the money involved.

In my opinion Let’s Encrypt is currently the only viable alternative for getting free certificates while adhering to current security practices.