View Issue Details

IDProjectCategoryView StatusLast Update
0001305Main CAcert Websitecertificate issuingpublic2021-08-05 17:49
Reporterwytze Assigned ToTed  
PriorityurgentSeveritymajorReproducibilityalways
Status needs review & testingResolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Product Version2014 Q3 
Summary0001305: CAcert Class1 root certificate needs to be reissued with an updated CDP and a SHA-based signature
DescriptionThe CAcert Class1 root certificate (THE CAcert root) is suffering from two operational problems:

1. The CDP (CRL Distribition Point) listed in the root cert is
        https://www.cacert.org/revoke.crl
But since we do not want to distribute the (huge) CRL through our main web server but rather through a specialized CRL server, the main web server is redirecting all requests for the above URL to http://crl.cacert.org. It turns out that some validation software, for example Microsoft's CryptoAPI, is unable to deal with such HTTP redirects, and reports a verification failure.

Also, the use of HTTPS in the CDP is *not* recommended, see RFC5280 http://tools.ietf.org/html/rfc5280, in the section Security Considerations:
   When certificates include a cRLDistributionPoints extension with an
   https URI or similar scheme, circular dependencies can be introduced.
   The relying party is forced to perform an additional path validation
   in order to obtain the CRL required to complete the initial path
   validation! Circular conditions can also be created with an https
   URI (or similar scheme) in the authorityInfoAccess or
   subjectInfoAccess extensions. At worst, this situation can create
   unresolvable dependencies.

So the CDP should be http://crl.cacert.org/revoke.crl.

2. The current root cert is signed with a MD5 hash. While from a security point of view, the quality of the hash algorithm used for such a trusted cert does not matter, from time to time rumours and sometimes even software appear which choke about this. A SHA-256 based signature would kill all such issues right away.

Steps To ReproduceIssue 1 can be demonstrated with a command like this on a Windows 7 system:
     certutil -f -verify -urlfetch server.crt
for some CAcert Class3 issued server certificate. Output of the above command has been added as attachment to this bug entry.

Issue 2 is demonstrated somewhat by the currently open Bugzilla issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1058812
Additional InformationThe CAcert Class3 intermediate root certificate has been resigned in 2011 to deal with the MD5 issue (for this cert, being intermediate, it was truly a blocking problem). A similar procedure could be used to resign the CAcert Class1 root. This will likely be a much faster process than waiting for the results of the NRE (New Roots & Escrow) project.
Tagscertificates
Reviewed bydastrath, Ted
Test Instructions

Relationships

related to 0001254 fix availableBenBE Update the signed PGP-Message containing the fingerprints of CAcert 
related to 0001194 needs workNEOatNHNG Root certificate installer MSI package fails on Windows 8 
related to 0001533 needs review & testingTed CAP forms should contain the sha1 & sha256 of the new Class 3 Root 
child of 0001447 new Cannot access main cacert website 

Activities

wytze

2014-09-15 14:07

developer  

crl-redirect-issue.log (5,274 bytes)   
Verlener:
    CN=CAcert Class 3 Root
    OU=http://www.CAcert.org
    O=CAcert Inc.
Onderwerp:
    CN=bocanium.soleus.nu
Serienummer van certificaat: 010c5c

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=104 dwErrorStatus=0
  Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
  NotBefore: 6-11-2012 16:09
  NotAfter: 6-11-2014 16:09
  Subject: CN=bocanium.soleus.nu
  Serial: 010c5c
  SubjectAltName: DNS-naam=bocanium.soleus.nu, Andere naam:1.3.6.1.5.5.7.8.5=0c 12 62 6f 63 61 6e 69 75 6d 2e 73 6f 6c 65 75 73 2e 6e 75
  de 55 08 57 34 ba 81 24 56 af dd 94 e7 eb 1c 75 fe 26 50 ca
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificaat AIA  ----------------
  Geen URL's "Geen" Tijd: 0
  ----------------  Certificaat CDP  ----------------
  Gecontroleerd "Basislijst met ingetrokken certificaten" Tijd: 0
    [0.0] http://crl.cacert.org/class3-revoke.crl

  ----------------  Basis-CRL CDP  ----------------
  Geen URL's "Geen" Tijd: 0
  ----------------  Certificaat-OCSP  ----------------
  Gecontroleerd "OCSP" Tijd: 0
    [0.0] http://ocsp.cacert.org/

  --------------------------------
    CRL (null):
    Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
    79 0d 8e 2a 39 7b 7b 69 da ec b0 e0 48 f1 b2 b6 19 1e f5 ff
  Application[0] = 1.3.6.1.5.5.7.3.2 Clientverificatie
  Application[1] = 1.3.6.1.5.5.7.3.1 Serververificatie
  Application[2] = 2.16.840.1.113730.4.1 
  Application[3] = 1.3.6.1.4.1.311.10.3.3 

CertContext[0][1]: dwInfoStatus=101 dwErrorStatus=1000040
  Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
  NotBefore: 23-5-2011 19:48
  NotAfter: 20-5-2021 19:48
  Subject: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
  Serial: 0a418a
  ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificaat AIA  ----------------
  Gecontroleerd "Certificaat (0)" Tijd: 0
    [0.0] http://www.CAcert.org/ca.crt

  ----------------  Certificaat CDP  ----------------
  Geen URL's "Geen" Tijd: 0
  ----------------  Certificaat-OCSP  ----------------
  Gecontroleerd "OCSP" Tijd: 0
    [0.0] http://ocsp.CAcert.org/

  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.18506 

CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
  NotBefore: 30-3-2003 14:29
  NotAfter: 29-3-2033 14:29
  Subject: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
  Serial: 00
  13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificaat AIA  ----------------
  Geen URL's "Geen" Tijd: 0
  ----------------  Certificaat CDP  ----------------
  Mislukt "CRL-distributiepunt (CDP)" Tijd: 0
    Fout tijdens het ophalen van de URL: Fout 0x8019012d (-2145844947)
    https://www.cacert.org/revoke.crl

  ----------------  Certificaat-OCSP  ----------------
  Geen URL's "Geen" Tijd: 0
  --------------------------------

Exclude leaf cert:
  96 aa e8 9d 5c cf b0 0c 60 7e 3c b9 f6 25 de ff 3d 86 1b 66
Full chain:
  ee 9e fa 78 60 a6 73 74 8d 97 c1 a9 11 35 0c 45 64 7e d1 e8
  Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
  NotBefore: 6-11-2012 16:09
  NotAfter: 6-11-2014 16:09
  Subject: CN=bocanium.soleus.nu
  Serial: 010c5c
  SubjectAltName: DNS-naam=bocanium.soleus.nu, Andere naam:1.3.6.1.5.5.7.8.5=0c 12 62 6f 63 61 6e 69 75 6d 2e 73 6f 6c 65 75 73 2e 6e 75
  de 55 08 57 34 ba 81 24 56 af dd 94 e7 eb 1c 75 fe 26 50 ca
De intrekkingsfunctie kan het intrekken niet controleren omdat de intrekkingsserver offline is. 0x80092013 (-2146885613)
------------------------------------
Intrekkingscontrole is overgeslagen: de server is offline
Het certificaat is een eindentiteitscertificaat
Intrekkingscontrole van certificaat voltooid
CertUtil: - de opdracht verify is voltooid.
crl-redirect-issue.log (5,274 bytes)   

Ruel Print

2014-10-04 09:58

reporter  

Global Sign.p7b (936 bytes)

felixd

2015-11-25 23:53

updater   ~0005486

There exists a procedure now that will fix this problem:
https://github.com/CAcertOrg/cacert-procedures/tree/master/rootResignSHA256

It was executed on test data on the FrosCON.
The following Audit report documents this execution:
https://wiki.cacert.org/Audit/Results/session2015.4

Currently the resulting files (re-singed test certificate, intermediate files, etc) are kept with Board that should soon release them to the public.

Therefore we should soon (after enough review) be good to go for the real certificate.

felixd

2015-12-14 21:58

updater   ~0005492

We noticed problems related to keeping the serial of the Certificate. We therefore need to adjust the serial number to circumvent "reused issuer and serial"-errors when the Browser has both certificates (i.e. one installed and the other via the SSL Handshake)

I therefore propose:
https://github.com/yellowant/cacert-procedures/commit/a73faf1dbd8d88ebc490bd182db8c4c9e0dccaf2

cilap

2016-02-05 09:50

reporter   ~0005495

the issue has more pressure in the meanwhile.

On Java and Eclipse I am getting:
svn: E175002: SSL handshake failed: 'java.security.cert.CertificateException: Certificates does not conform to algorithm constraints'

Since oracle has enforced the default handling of rejecting MD2 and MD5 certificates, any SSL connection on Ubuntu 14.04 is failing in combination with a Java VM.
Sadly the implementation is so stupid, that all certificates are getting read in added to the trust store during first connection. And all certificates are checked, not only the once which should be checked on the chain from the server cert up to the root.

Is there any plan on reissuing the root certificate with a SHA fingerprint and to get rid of MD5withRSA

A workaround - but only working till next java update - is to change

vi /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security

and to change to this:

#jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

But this is from security perspective not really nice, that CaCert is still working on his root cert on a "obsoleted" algorithm.

Hope I could help some guys with my report and the workaround description

reinhardm

2016-03-14 17:00

updater   ~0005512

Today I added the new roots into the browser.
I am running OpenSUSE and firefox. The roots installed by a mouseckick with no problems. I tried several logins where certificate login is required. All woreked well.
I removed the old roots and made a login to https://bugs.cacert.org with no problems.
I will try further on different browsers and OS versions.

bjobjo

2017-04-04 16:12

reporter   ~0005542

Hello,
I increased the priority and severity.
Firefox is not accepting any more the Root Certificate, so we have to add an exception for every site that uses CA Cert Authority.

The ticket was opened in 2014 and we still don't have a new root cert.

The whole reputation of CAcert is in danger if the root certs are not secure.

Please do urgently fix this.
Current firefox message for example:

wiki.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

dops

2018-04-18 21:37

reporter   ~0005586

New signed roots are tested on multiple platforms, see here: https://lists.cacert.org/wws/arc/cacert-board/2018-04/msg00014.html
Some people reported to use the certificates for years without any problems.

Any person left in the software team is welcome to announce where people can continue working.

GuKKDevel

2018-10-31 13:03

updater   ~0005628

a diff we started in Feb 2017 (Dirk, Aleš, and me)
diff-release-bug-1305 (25,355 bytes)   
diff --git a/pages/index/3.php b/pages/index/3.php
index af0c0f3..f060c8f 100644
--- a/pages/index/3.php
+++ b/pages/index/3.php
@@ -18,37 +18,6 @@
 
 <p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p>
 
-<h1><?=_("re-signed versions from 2016 - ")?><a href="https://blog.cacert.org/2016/03/successful-root-re-sign/"><?=_("see blog")?></a></h1>
-<br>
-
-<h3><?=_("Windows Installer") ?></h3>
-<ul class="no_indent">
-	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_256.msi">', '</a>', '<br/>')?></li>
-	<li><?=_("SHA1 Hash:") ?> f27e06391e5cfd87200baa1a0f674a9725516a4f</li>
-	<li><?=_("SHA256 Hash:") ?> 412c5fa846da64a80148f788b5bb0b70517d6f12bfb133ae6a87cc6bd1921b90</li>
-</ul>
-
-<h3><?=_("Class 1 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/root_256.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/root_256.der"><?=_("Root Certificate (DER Format)")?></a></li>
-	<li><a href="certs/root_256.txt"><?=_("Root Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li>
-	<li><?=_("SHA256 fingerprint:")?> 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5</li>
-</ul>
-
-<h3><?=_("Class 3 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/class3_256.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/class3_256.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
-	<li><a href="certs/class3_256.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li>
-	<li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li>
-</ul>
-
-<h1><?=_("old versions")?></h1>
-<br>
-
 <h3><?=_("Windows Installer") ?></h3>
 <ul class="no_indent">
 	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates.msi">', '</a>', '<br/>')?></li>
diff --git a/www/certs/CAcert_Root_Certificates_256.msi b/www/certs/CAcert_Root_Certificates_256.msi
deleted file mode 100644
index e94d8fc..0000000
Binary files a/www/certs/CAcert_Root_Certificates_256.msi and /dev/null differ
diff --git a/www/certs/class3_256.crt b/www/certs/class3_256.crt
deleted file mode 100644
index d358c12..0000000
--- a/www/certs/class3_256.crt
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS
-BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
-cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
-4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
-Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
-0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
-FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
-bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
-SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
-6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
-m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
-eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
-kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
-6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G
-A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw
-Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl
-cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH
-AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI
-AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw
-UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
-RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1
-MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ
-vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP
-3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU
-0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69
-6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa
-hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp
-9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl
-0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8
-spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt
-Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0
-ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2
-p4wTyVBIM8hjrLcKiChF43GRJtne7w==
------END CERTIFICATE-----
diff --git a/www/certs/class3_256.der b/www/certs/class3_256.der
deleted file mode 100644
index 417b714..0000000
Binary files a/www/certs/class3_256.der and /dev/null differ
diff --git a/www/certs/class3_256.txt b/www/certs/class3_256.txt
deleted file mode 100644
index 1b096b0..0000000
--- a/www/certs/class3_256.txt
+++ /dev/null
@@ -1,142 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 14 (0xe)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-        Validity
-            Not Before: May 23 17:48:02 2011 GMT
-            Not After : May 20 17:48:02 2021 GMT
-        Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
-                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
-                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
-                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
-                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
-                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
-                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
-                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
-                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
-                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
-                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
-                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
-                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
-                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
-                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
-                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
-                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
-                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
-                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
-                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
-                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
-                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
-                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
-                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
-                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
-                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
-                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
-                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
-                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
-                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
-                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
-                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
-                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
-                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
-                    05:fb:e9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.CAcert.org/
-                CA Issuers - URI:http://www.CAcert.org/ca.crt
-
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.18506
-                  CPS: http://www.CAcert.org/index.php?id=10
-
-            Netscape CA Policy Url: 
-                http://www.CAcert.org/index.php?id=10
-            Netscape Comment: 
-                To get your own certificate for FREE, go to http://www.CAcert.org
-            X509v3 Authority Key Identifier: 
-                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a:
-         a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7:
-         8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29:
-         5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78:
-         7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86:
-         e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e:
-         99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b:
-         99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84:
-         20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06:
-         36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f:
-         6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d:
-         a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77:
-         4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95:
-         b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a:
-         c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8:
-         7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b:
-         20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48:
-         93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce:
-         90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d:
-         2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a:
-         38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26:
-         a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a:
-         75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4:
-         e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db:
-         24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7:
-         16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8:
-         9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57:
-         79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28:
-         45:e3:71:91:26:d9:de:ef
------BEGIN CERTIFICATE-----
-MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
-b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
-Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
-dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
-MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
-Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
-iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
-aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
-jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
-pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
-FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
-XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
-oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
-R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
-rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
-LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
-BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
-gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
-BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
-A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
-c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
-AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
-BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
-MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
-Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
-ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
-b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
-QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
-7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
-Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
-D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
-VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
-lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
-Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
-hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
-0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
-ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
-d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
-4GGSt/M3mMS+lqO3ig==
------END CERTIFICATE-----
diff --git a/www/certs/root_256.crt b/www/certs/root_256.crt
deleted file mode 100644
index 8ef0716..0000000
--- a/www/certs/root_256.crt
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
-BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
-MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
-ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
-8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
-zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
-fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
-w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
-G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
-epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
-laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
-QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
-fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
-YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w
-ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD
-AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu
-cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm
-aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y
-ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl
-LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y
-ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
-c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN
-BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q
-Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja
-JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9
-4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6
-cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i
-vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe
-+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h
-JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx
-XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN
-aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n
-1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr
-Gwc=
------END CERTIFICATE-----
diff --git a/www/certs/root_256.der b/www/certs/root_256.der
deleted file mode 100644
index e827487..0000000
Binary files a/www/certs/root_256.der and /dev/null differ
diff --git a/www/certs/root_256.txt b/www/certs/root_256.txt
deleted file mode 100644
index 428e0bc..0000000
--- a/www/certs/root_256.txt
+++ /dev/null
@@ -1,142 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 15 (0xf)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-        Validity
-            Not Before: Mar 30 12:29:49 2003 GMT
-            Not After : Mar 29 12:29:49 2033 GMT
-        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
-                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
-                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
-                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
-                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
-                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
-                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
-                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
-                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
-                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
-                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
-                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
-                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
-                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
-                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
-                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
-                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
-                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
-                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
-                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
-                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
-                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
-                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
-                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
-                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
-                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
-                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
-                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
-                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
-                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
-                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
-                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
-                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
-                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
-                    e5:a1:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            Netscape CA Policy Url: 
-                http://www.cacert.org/index.php?id=10
-            Netscape Comment: 
-                To get your own certificate for FREE head over to http://www.cacert.org
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.cacert.org/revoke.crl
-
-            Netscape CA Revocation Url: 
-                URI:http://crl.cacert.org/revoke.crl
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.cacert.org
-
-            X509v3 Authority Key Identifier: 
-                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         47:9c:d7:b3:a2:17:d3:52:53:b7:b4:6a:dd:bf:9b:35:15:21:
-         6c:ef:6f:18:13:20:81:cc:e8:ed:1d:2a:22:1d:64:76:14:ba:
-         5b:37:2b:0e:83:ba:3e:4a:6e:46:0d:0b:de:a3:3b:61:00:7a:
-         a7:0d:95:fa:e6:f3:17:bc:65:e0:2d:07:5a:5b:5f:cc:f4:db:
-         cc:01:dd:26:d8:da:25:0c:3b:41:a0:65:98:06:29:37:60:8b:
-         07:a2:5e:83:ca:bf:d5:7a:60:77:0f:fe:20:fd:46:47:07:60:
-         ef:15:29:45:e5:00:e3:cd:a5:e0:c1:f5:91:fd:16:d1:a7:7d:
-         e1:2b:88:7c:d5:90:1d:c7:4b:02:99:a7:a3:f4:94:87:56:e9:
-         67:27:96:ac:c9:e5:86:41:8d:0c:a3:31:08:24:17:43:7e:b4:
-         4f:01:47:73:c7:5f:10:06:aa:e6:bc:ba:71:9c:e6:d6:87:ad:
-         ae:44:af:88:4d:aa:a1:fc:6f:bf:55:45:89:0f:bd:4d:7d:ff:
-         ce:41:02:0a:c5:01:fc:48:cf:33:49:71:14:19:ae:f5:3e:48:
-         87:e1:2a:9e:cf:62:be:6a:c4:21:00:ef:f6:d3:72:24:7b:8b:
-         b0:33:6a:6d:40:5a:97:b3:a8:88:f6:67:5e:4f:4b:1f:ea:9b:
-         fa:92:df:d6:87:ef:e6:7a:32:e6:f5:f6:6b:93:8a:79:b1:de:
-         fb:41:31:fc:0e:de:f8:6f:c7:b8:e8:d5:36:a8:59:f6:3e:4d:
-         8a:ca:5f:ab:dc:cd:c8:e1:c6:58:3f:28:7e:3f:03:1f:00:79:
-         d0:bd:57:87:91:fe:11:b2:28:81:af:e1:24:24:27:46:dc:56:
-         90:73:fa:f7:d4:f5:26:92:c5:63:06:a9:82:99:62:bc:5e:13:
-         16:fe:1f:aa:9d:27:1d:32:82:d7:1f:60:1a:b2:20:be:e6:09:
-         97:5b:71:20:a9:b1:5d:d7:c9:ce:0b:1c:33:3a:a9:69:b8:6d:
-         1c:e3:17:3a:2c:10:06:95:b3:c8:99:28:7c:5f:f0:e7:97:b4:
-         2e:db:59:0c:19:04:b2:29:55:fe:f5:b4:08:9b:0f:b3:77:8d:
-         69:01:7e:88:c5:ac:70:63:a4:80:b1:65:5a:c0:12:dc:7c:32:
-         89:82:cd:26:8d:ba:6a:ac:96:3d:a2:1d:73:c1:38:72:4e:d2:
-         93:4f:16:ac:5a:c7:20:ad:c4:1e:be:27:d4:56:70:98:ba:45:
-         02:fb:9c:2a:a8:25:d2:1a:fe:da:3c:a9:ca:1e:69:b8:0d:ca:
-         92:c1:c5:dc:2b:14:ce:33:14:bf:3c:4c:87:29:21:f7:3a:cc:
-         c5:00:07:2c:15:6b:1b:07
------BEGIN CERTIFICATE-----
-MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
-BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
-MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
-ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
-8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
-zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
-fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
-w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
-G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
-epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
-laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
-QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
-fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
-YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w
-ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD
-AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu
-cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm
-aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y
-ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl
-LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y
-ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
-c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN
-BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q
-Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja
-JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9
-4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6
-cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i
-vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe
-+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h
-JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx
-XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN
-aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n
-1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr
-Gwc=
------END CERTIFICATE-----
diff-release-bug-1305 (25,355 bytes)   

Ted

2018-11-01 22:53

administrator   ~0005638

Golffies left a review at https://github.com/CAcertOrg/cacert-devel/pull/9#pullrequestreview-170861329

Ted

2018-11-08 08:58

administrator   ~0005660

Benedikt (who was internal Auditor in 2016) has confirmed that the following certificates are the correct ones:

Root:
Serial 0000015
finger print: 07ed bd82 4a49 88cf ef42 15da 20d4 8c2b 41d7 1529 d7c9 00f5 7092
6f27 7cc2 30c5
file:
http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new1.txt

Class 3:
Serial 0000014
finger print: f687 3d70 d675 96c2 acba 3440 1e69 738b 5270 1dd6 ab06 b497 49bc
5515 0936 d544
file:
http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new3.text

Ted

2018-11-12 10:06

administrator   ~0005663

Benedikt also confirms that from his Point of View the incident during the re-signing ceremony had no influence on the "trustworthyness" of the keys/certificates.

So, even if there were an Arbitration case about the details of the re-signing ceremony (I did not find one yet), I don't see any reason why the re-signed certificates should not be installed.

Ted

2018-11-12 22:04

administrator   ~0005665

As part of the review process I checked the differences between the "old" and the "new" root certificates:

1. Serial number: Old 0x0, New 0xf
2. Signature Algorithm: Old md5WithRSAEncryption, New: sha256WithRSAEncryption
3. X509v3 Authority Key Identifier: Old contains keyid, DirName and serial, New contains only keyid
4. X509v3 CRL Distribution Points: Old URI:https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
5. Netscape CA Revocation Url: Old https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
6. Authority Information Access: Old (not present), New OCSP - URI:http://ocsp.cacert.org
7. The signature obviously differs

Since there is no specification document about the intention of these changes I can only check for harmful side effects and guess about the intentions.

2. and 7. are obviously intended, these are direct concequences of using a different signing alhorithm

1. Is a side effect of re-signing. Since RFC5280 requires that "[The serial number] MUST be unique for each certificate issued by a given CA" the serial number cannot be the same as in the old certificate. The exact value of the new serial number is not critical, as long as it remains unique.

4., 5. and 6. have probably been adjusted to the value which is included in currently issued "normal" certificates. Using http over https to retrieve the CRL makes more sense since the crl itself is signed.

I'm not sure about 3. https://tools.ietf.org/html/rfc5280#section-5.2.1 does not address using the issuer DN in the X509v3 Authority Key Identifier. Current versions of OpenSSL add it only "if the keyid option fails or is not included" (https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html), which is obviously not the case here.
So I guess the issuer DN in Authority Key Identifier is just not used anymore in current software.

Ted

2018-11-13 22:54

administrator   ~0005666

Wytze has provided a pointer to https://github.com/BenBE/cacert-procedures/blob/root-resign-sha256/rootResignSHA256/procedure.txt

While it does not explain the reasons, it makes clear that the observed changes are intentional.

An additional mail provided by Wytze plausibly explains the reasons of removing issuer and serial from X509v3 Authority Key Identifier. Specifically the serial number must be removed (or adjusted), since the new roots will have different serial numbers, so the serial in Authority Key Identifier would otherwise break the certificate chain.

alkas

2018-11-15 19:21

manager   ~0005673

The difference between CAcert Class 3 Root #A418A and CAcert Class 3 Root #0E

Serial number A418A 0E
Signature 29:28:85:ae:44:a9:b9:af:a4... 5a:90:16:d0:36:23:56:64:95...
X509v3 Extensions:
 X509v3 Authority Key Identifier:
  keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
  DirName:/O=Root CA ---
          /OU=http://www.cacert.org
          /CN=CA Cert Signing Authority
          /emailAddress=support@cacert.org
  serial:00

Thus, only #A418A contains the serial number of CAcert Class 1 root # 00.
If the Class 3 Root #0E is used, there is only the http link in the following attribute (identical in both Class 3 roots):
X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access:
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt
(where the file ca.crt contains the Class 1 Root #00)

Now, if the Class 3 Root #0E is used, and the file ca.crt is replaced by Class 1 Root #0F (SHA256 signed),
the Class 3 Root is no more tied with the specific (#00) Class 1 Root.
I have tried this certificate chain on my local network with 2 Web servers, no problems.
The chain is: CAcert Class 1 Root #0F +--> CAcert Class 3 Root #0E --> any certificate issued by Class 3 Root
                                                                  +--> any certificate issued by Class 1 Root
Issued client/server certificates do not contain any serial # of signing root(s).

Do anybody knows any objections against this concept?

Ted

2018-11-15 20:23

administrator   ~0005675

Hi alkas,

you are completely right, and were just a little bit faster than me in documenting this facts. :-)

As I found out while digging through the documentation, this issue has already been noticed during the tests in 2016, it just was not documented here in the bugtracker, but in some external documents.

Since the issue has been tested in 2016, and the whole thing is quite plausible, once someone explains it to you :-), I don't consider it essential to redo all the tests.

Of course you are nevertheless welcome to replicate the tests and report the results here. But IMHO this is not blocking the continuation of the review.

Ted

2018-11-15 22:14

administrator   ~0005677

Last edited: 2018-11-15 22:14

I had a look at the code changes in the bug-1305 branch from GitHub, and I'd propose a few changes:

* Remove the Windows Installer file CAcert_Root_Certificates_256.msi and the section referring to it. See my mail to the development list for detailed reasons.
* Remove the sections of the "old versions". The history of the root keys is documented in the WiKi page https://wiki.cacert.org/Roots/StateOverview

Of course the WiKi page has to be updated once we roll out bug-1305.

GuKKDevel

2018-11-16 15:53

updater   ~0005680

certificates were renamed to correspond to their version, new .msi-installer was added, page to download (pages/index/3.php) was changed to access the new certificates
diff (6,678 bytes)   
commit 37f1c36f3b13c7efa975ad351f2fde8dd4cbecae
Author: Karl-Heinz Gödderz (GuKKDevel) <Devel@GuKK-Online.de>
Date:   Fri Nov 16 16:35:36 2018 +0100

    Bug 1305; new cerificates; rename certificates to corresponding version;
    changing pages/index/3 to access the new certs

diff --git a/pages/index/3.php b/pages/index/3.php
index af0c0f3..6c6ef80 100644
--- a/pages/index/3.php
+++ b/pages/index/3.php
@@ -18,66 +18,28 @@
 
 <p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p>
 
-<h1><?=_("re-signed versions from 2016 - ")?><a href="https://blog.cacert.org/2016/03/successful-root-re-sign/"><?=_("see blog")?></a></h1>
-<br>
-
 <h3><?=_("Windows Installer") ?></h3>
 <ul class="no_indent">
-	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_256.msi">', '</a>', '<br/>')?></li>
-	<li><?=_("SHA1 Hash:") ?> f27e06391e5cfd87200baa1a0f674a9725516a4f</li>
-	<li><?=_("SHA256 Hash:") ?> 412c5fa846da64a80148f788b5bb0b70517d6f12bfb133ae6a87cc6bd1921b90</li>
+	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_X0F_X0E.msi">', '</a>', '<br/>')?></li>
+	<li><?=_("SHA256 Hash:") ?> 0A87 5483 1472 4971 DB5C 85AF 5B01 92E5 2325 259A 1485 1CEF 4AB9 02EC 70BF A5D5</li>
 </ul>
 
 <h3><?=_("Class 1 PKI Key")?></h3>
 <ul class="no_indent">
-	<li><a href="certs/root_256.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/root_256.der"><?=_("Root Certificate (DER Format)")?></a></li>
-	<li><a href="certs/root_256.txt"><?=_("Root Certificate (Text Format)")?></a></li>
+	<li><a href="certs/root_X0F.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
+	<li><a href="certs/root_X0F.der"><?=_("Root Certificate (DER Format)")?></a></li>
+	<li><a href="certs/root_X0F.txt"><?=_("Root Certificate (Text Format)")?></a></li>
 	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li>
 	<li><?=_("SHA256 fingerprint:")?> 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5</li>
 </ul>
 
 <h3><?=_("Class 3 PKI Key")?></h3>
 <ul class="no_indent">
-	<li><a href="certs/class3_256.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/class3_256.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
-	<li><a href="certs/class3_256.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
+	<li><a href="certs/class3_X0E.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
+	<li><a href="certs/class3_X0E.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
+	<li><a href="certs/class3_X0E.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
 	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li>
-	<li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li>
-</ul>
-
-<h1><?=_("old versions")?></h1>
-<br>
-
-<h3><?=_("Windows Installer") ?></h3>
-<ul class="no_indent">
-	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates.msi">', '</a>', '<br/>')?></li>
-	<li><?=_("SHA1 Hash:") ?> 2db1957db31aa0d778d1a65ea146760ee1e67611</li>
-	<li><?=_("SHA256 Hash:") ?> 88883f2e3117bae6f43922fbaef8501b94efe4143c12116244ca5d0c23bcbb16</li>
-</ul>
-
-<h3><?=_("Class 1 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/root.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/root.der"><?=_("Root Certificate (DER Format)")?></a></li>
-	<li><a href="certs/root.txt"><?=_("Root Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li>
-	<li><?=_("SHA1 Fingerprint:")?> 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33</li>
-	<li><?=_("MD5 Fingerprint:")?> A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B</li>
-</ul>
-
-<h3><?=_("Class 3 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/class3.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/class3.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
-	<li><a href="certs/class3.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li>
-<?php /*
-  class3 subroot fingerprint updated: 2011-05-23  class3 Re-sign project
-  https://wiki.cacert.org/Roots/Class3ResignProcedure/Migration
-*/ ?>
-	<li><?=_("SHA1 Fingerprint:")?> AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE</li>
-	<li><?=_("MD5 Fingerprint:")?> F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42</li>
+    <li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li>
 </ul>
 
 <h3><?=_("GPG Key")?></h3>
diff --git a/www/certs/CAcert_Root_Certificates_256.msi b/www/certs/CAcert_Root_Certificates_X0F_X0E.msi
similarity index 99%
rename from www/certs/CAcert_Root_Certificates_256.msi
rename to www/certs/CAcert_Root_Certificates_X0F_X0E.msi
index e94d8fc..19f2593 100644
Binary files a/www/certs/CAcert_Root_Certificates_256.msi and b/www/certs/CAcert_Root_Certificates_X0F_X0E.msi differ
diff --git a/www/certs/class3_256.crt b/www/certs/class3_X0E.crt
similarity index 100%
rename from www/certs/class3_256.crt
rename to www/certs/class3_X0E.crt
diff --git a/www/certs/class3_256.der b/www/certs/class3_X0E.der
similarity index 100%
rename from www/certs/class3_256.der
rename to www/certs/class3_X0E.der
diff --git a/www/certs/class3_256.txt b/www/certs/class3_X0E.txt
similarity index 100%
rename from www/certs/class3_256.txt
rename to www/certs/class3_X0E.txt
diff --git a/www/certs/root_256.crt b/www/certs/root_X0F.crt
similarity index 100%
rename from www/certs/root_256.crt
rename to www/certs/root_X0F.crt
diff --git a/www/certs/root_256.der b/www/certs/root_X0F.der
similarity index 100%
rename from www/certs/root_256.der
rename to www/certs/root_X0F.der
diff --git a/www/certs/root_256.txt b/www/certs/root_X0F.txt
similarity index 100%
rename from www/certs/root_256.txt
rename to www/certs/root_X0F.txt
diff (6,678 bytes)   

alkas

2018-11-18 00:43

manager   ~0005683

Two more formats:
CAcert_chain_X0F_X0E.pem (7,503 bytes)   
-----BEGIN CERTIFICATE-----
MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS
BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G
A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw
Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl
cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH
AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI
AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw
UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1
MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ
vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP
3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU
0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69
6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa
hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp
9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl
0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8
spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt
Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0
ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2
p4wTyVBIM8hjrLcKiChF43GRJtne7w==
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w
ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD
AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu
cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm
aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y
ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl
LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y
ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN
BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q
Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja
JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9
4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6
cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i
vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe
+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h
JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx
XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN
aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n
1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr
Gwc=
-----END CERTIFICATE-----
CAcert_chain_X0F_X0E.pem (7,503 bytes)   
cacert-bundle_X0F_X0E.crt (16,180 bytes)   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Mar 30 12:29:49 2003 GMT
            Not After : Mar 29 12:29:49 2033 GMT
        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
                    e5:a1:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
            X509v3 Basic Constraints: critical
                CA:TRUE
            Netscape CA Policy Url: 
                http://www.cacert.org/index.php?id=10
            Netscape Comment: 
                To get your own certificate for FREE head over to http://www.cacert.org
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.cacert.org/revoke.crl

            Netscape CA Revocation Url: 
                URI:http://crl.cacert.org/revoke.crl
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org

            X509v3 Authority Key Identifier: 
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1

    Signature Algorithm: sha256WithRSAEncryption
         47:9c:d7:b3:a2:17:d3:52:53:b7:b4:6a:dd:bf:9b:35:15:21:
         6c:ef:6f:18:13:20:81:cc:e8:ed:1d:2a:22:1d:64:76:14:ba:
         5b:37:2b:0e:83:ba:3e:4a:6e:46:0d:0b:de:a3:3b:61:00:7a:
         a7:0d:95:fa:e6:f3:17:bc:65:e0:2d:07:5a:5b:5f:cc:f4:db:
         cc:01:dd:26:d8:da:25:0c:3b:41:a0:65:98:06:29:37:60:8b:
         07:a2:5e:83:ca:bf:d5:7a:60:77:0f:fe:20:fd:46:47:07:60:
         ef:15:29:45:e5:00:e3:cd:a5:e0:c1:f5:91:fd:16:d1:a7:7d:
         e1:2b:88:7c:d5:90:1d:c7:4b:02:99:a7:a3:f4:94:87:56:e9:
         67:27:96:ac:c9:e5:86:41:8d:0c:a3:31:08:24:17:43:7e:b4:
         4f:01:47:73:c7:5f:10:06:aa:e6:bc:ba:71:9c:e6:d6:87:ad:
         ae:44:af:88:4d:aa:a1:fc:6f:bf:55:45:89:0f:bd:4d:7d:ff:
         ce:41:02:0a:c5:01:fc:48:cf:33:49:71:14:19:ae:f5:3e:48:
         87:e1:2a:9e:cf:62:be:6a:c4:21:00:ef:f6:d3:72:24:7b:8b:
         b0:33:6a:6d:40:5a:97:b3:a8:88:f6:67:5e:4f:4b:1f:ea:9b:
         fa:92:df:d6:87:ef:e6:7a:32:e6:f5:f6:6b:93:8a:79:b1:de:
         fb:41:31:fc:0e:de:f8:6f:c7:b8:e8:d5:36:a8:59:f6:3e:4d:
         8a:ca:5f:ab:dc:cd:c8:e1:c6:58:3f:28:7e:3f:03:1f:00:79:
         d0:bd:57:87:91:fe:11:b2:28:81:af:e1:24:24:27:46:dc:56:
         90:73:fa:f7:d4:f5:26:92:c5:63:06:a9:82:99:62:bc:5e:13:
         16:fe:1f:aa:9d:27:1d:32:82:d7:1f:60:1a:b2:20:be:e6:09:
         97:5b:71:20:a9:b1:5d:d7:c9:ce:0b:1c:33:3a:a9:69:b8:6d:
         1c:e3:17:3a:2c:10:06:95:b3:c8:99:28:7c:5f:f0:e7:97:b4:
         2e:db:59:0c:19:04:b2:29:55:fe:f5:b4:08:9b:0f:b3:77:8d:
         69:01:7e:88:c5:ac:70:63:a4:80:b1:65:5a:c0:12:dc:7c:32:
         89:82:cd:26:8d:ba:6a:ac:96:3d:a2:1d:73:c1:38:72:4e:d2:
         93:4f:16:ac:5a:c7:20:ad:c4:1e:be:27:d4:56:70:98:ba:45:
         02:fb:9c:2a:a8:25:d2:1a:fe:da:3c:a9:ca:1e:69:b8:0d:ca:
         92:c1:c5:dc:2b:14:ce:33:14:bf:3c:4c:87:29:21:f7:3a:cc:
         c5:00:07:2c:15:6b:1b:07
-----BEGIN CERTIFICATE-----
MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w
ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD
AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu
cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm
aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y
ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl
LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y
ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN
BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q
Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja
JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9
4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6
cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i
vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe
+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h
JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx
XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN
aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n
1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr
Gwc=
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14 (0xe)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: May 23 17:48:02 2011 GMT
            Not After : May 20 17:48:02 2021 GMT
        Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
                    05:fb:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
            X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access:
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.18506
                  CPS: http://www.CAcert.org/index.php?id=10

            Netscape CA Policy Url:
                http://www.CAcert.org/index.php?id=10
            Netscape Comment:
                To get your own certificate for FREE, go to http://www.CAcert.org
            X509v3 Authority Key Identifier:
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1

    Signature Algorithm: sha256WithRSAEncryption
        5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a:
        a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7:
        8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29:
        5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78:
        7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86:
        e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e:
        99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b:
        99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84:
        20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06:
        36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f:
        6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d:
        a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77:
        4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95:
        b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a:
        c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8:
        7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b:
        20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48:
        93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce:
        90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d:
        2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a:
        38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26:
        a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a:
        75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4:
        e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db:
        24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7:
        16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8:
        9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57:
        79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28:
        45:e3:71:91:26:d9:de:ef
-----BEGIN CERTIFICATE-----
MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS
BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G
A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw
Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl
cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH
AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI
AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw
UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1
MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ
vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP
3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU
0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69
6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa
hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp
9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl
0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8
spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt
Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0
ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2
p4wTyVBIM8hjrLcKiChF43GRJtne7w==
-----END CERTIFICATE-----
cacert-bundle_X0F_X0E.crt (16,180 bytes)   

Ted

2018-11-19 22:54

administrator   ~0005686

GuKKDevel: The fingerprints in the CAP and COAP forms have to be adjusted to the new root certs. See www/cap* and www/coap*

I'd propose to add a "(since 2019)" text beside the fingerprints, so people may get the idea that the change was intentional...

If you want to discuss this drop a message to the development list.

Ted

2018-11-23 20:59

administrator   ~0005687

Mental note: The updated certificates have to be installed on the signer machine also!

wytze

2018-11-24 08:22

developer   ~0005688

With respect to note https://bugs.cacert.org/view.php?id=1305#c5687 :
I agree that for consistency the updated root certificates should also be installed on the signer machine, but please note that for the operation of the signer this does not make any difference. The certificates issued by the signer only depend on the ssl configuration files and the root private key; the root certificate has no influence on this. The practical consequence of this is that installation of the updated root certificates can be postponed (or advanced) to a convenient moment (i.e. the need for other maintenance on the signing server), and does not have to be coordinated with the publication/installation of the updated roots on the webdb server.

Ted

2018-11-28 11:21

administrator   ~0005690

GuKK: I merged your changes (only the cap*/coap*-Files) into the test-1260 branch which is installed on the testserver.

Now you can open the CAP forms in the testserver, and you'll see the next problem: The SHA256 checksums are considerably longer than the old MD5 ones.

So we'll probably need them on two lines. But then we have to make sure that the resulting form still fits one A4 / Letter page (at least when using the english form)... So, probably, you'll have to dig around a bit more... :-(

GuKKDevel

2018-11-30 13:16

updater   ~0005691

worked on cap.php
split fingerprint line into two
form fits to A4 and letter

all other cap*/coap*-files: couldn find a link to them so waiting for answer from Wytze, who designed them.

wytze

2018-12-02 08:10

developer   ~0005692

There appears to be a serious misunderstanding here ... I am *not* the author or designer of the cap/coap files. Inside for example capnew.php you can find a statement about the origin of these files:

/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
** First created: 12 July 2008
** Last change: see Revision date
** Reviews:
** printed text by Ian Grigg and Teus Hagen (July 2008)
** layout/design by Teus Hagen and Johan Vromans (July 2008)
** coding by Teus Hagen and ...

Teus Hagen, former president of CAcert Inc. is the main author as far as I remember, but he is not involved anymore with CAcert. These files were meant as a replacement for the old forms, which are based on software which was already obsolete in 2008, and even more so in 2018. But nobody in software was ever prepared to spend some time to switch over to the new versions. So they are in the source tree, but not actually used.

There is no urgent need to update these files. If someone ever decides to switch over to them, adjusting the fingerprint text will be a minor effort.

By the way, I am kind of surprised that the fingerprint layout issue has been raised. There is no real need to display SHA256 fingerprints rather than SHA1 fingerprints for the new roots, the hash algo for the fingerprint does not need to match the hash algo of the certificate's signature (note that currently they also don't match: MD5 vs SHA1). Just updating the SHA1 fingerprints would have been fine I think.

Ted

2018-12-03 20:25

administrator   ~0005693

Hmm, I checked what I had in easy reach to find out which kind of fingerprint/checksum is shown by different software:
Windows 7: SHA1
Windows 10: SHA256
Firefox: SHA1 & SHA256

So, I guess it's OK to move to SHA256 only fingerprints on the CAP forms...

Ted

2018-12-03 20:36

administrator   ~0005694

GuKK: The PDF in letter format is quite full now... Is it easy to reduce the space above the upper box a bit (maybe half), so there's a bit of reserve at the bottom? Some translations need nore room than the english document...

And, when looking at the german PDF I noticed that at least the CCA agreement term is set in block, which does not look very nice here. It has probably been so forever, but, as above, if it is not much work please change this to ragged margin ("Flattersatz") while we are at it.

Once more, both of these are nice to have. I'd prefer to get the certs online without these changes in December to getting them online with the changes in January...

jandd

2018-12-03 20:40

administrator   ~0005695

openssl 1.1.0g x509 -fingerprint: SHA1
JDK 8 keytool -printcert: SHA1 & SHA256
gnutls 3.5.18 certtool --fingerprint: SHA1

I suggest to put both SHA1 and SHA256 fingerprints on the CAP forms

alkas

2018-12-03 21:36

manager   ~0005698

AFAIK, Windows 10 shows SHA1 fingerprint, too - in system cert. viewer - mmc, module Certificates, select and open cert., view Details, at the end is Fingerprint.
Poznámka 2018-12-03 223514.jpg (57,342 bytes)   
Poznámka 2018-12-03 223514.jpg (57,342 bytes)   

GuKKDevel

2018-12-07 12:27

updater   ~0005699

Ted: It is designed explicitely to place the two boxes "Applicant's Statement" and "CAcert Assurer" at exact the positions where they are, we shouldn't change that.

The other point: if we make this line two for all languages there is no problem. else I need to find out how to mask a space/blank or we have to change the pootle-files for appening a space to one literal.
I tried some versions a whole day. (I think we should not implement this for the moment)

Ted

2018-12-07 22:48

administrator   ~0005700

As decided on today's meeting (https://wiki.cacert.org/Software/Meeting/20181207) we want to add SHA1 fingerprints.

The rest of the formatting issues is considered low priority.

GuKKDevel

2018-12-10 13:13

updater   ~0005701

ted: fingerprints asre at the CAP-form. please check and if correct add to testserver.

https://github.com/CAcertOrg/cacert-devel/pull/19/commits/ca4e5f03eef4a8a174437fb065a967ce92dab847

Ted

2018-12-12 19:38

administrator   ~0005702

Current changes are installed on the testserver in branch test-1442.

I checked the german and the english PDF, both are OK, the SHA1 fingerprints match with what I get shown on Windows 7.

Now we need at least two test reports of other people (not the developer and the reviewers), so please test the CAP forms on https://test.cacert.org/index.php and leave reports!

bdmc

2018-12-13 15:28

developer   ~0005703

Where do I find documented the appropriate fingerprints for the SHA-256 Root and Class 3 certificates? I would expect them to be noted in this "Bug" documentation, perhaps in the "Instructions for Testers," so that testers could confirm the values found on forms and other places.

bdmc

2018-12-13 15:29

developer   ~0005704

I see on the US-English CAP Form that the address is "Oatley." Is this correct?

bdmc

2018-12-13 15:31

developer   ~0005705

I see the following values on the CAP PDF.

SHA256: root: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
and class3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544

kronenpj

2018-12-13 21:57

reporter   ~0005706

The SHA1 and SHA256 checksums are correctly represented in the CAP files, based on the certificates attached as https://bugs.cacert.org/file_download.php?file_id=452&type=bug and https://bugs.cacert.org/file_download.php?file_id=453&type=bug. I did not check the .msi file.

L10N

2018-12-13 22:03

reporter   ~0005707

I found this overview on the wiki:
https://wiki.cacert.org/Roots/StateOverview

L10N

2018-12-13 22:59

reporter   ~0005708

No, Oatley is outdated. The current address is:
Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia

GuKKDevel

2018-12-14 11:39

updater   ~0005709

Changed the address of CAcert Inc. and changed the sha1-fingerprints presentation from 2-char plus colons to 4-chars plus space.

alkas

2018-12-14 12:30

manager   ~0005710

The new version of CAcert root certificates (zipped) and Czech new versions of CAPs. Please have a look.
cap_X0F_X0E.docx (56,714 bytes)
cap-blank_X0F_X0E.docx (56,816 bytes)

alkas

2018-12-14 12:47

manager   ~0005711

PDF versions:
cap_X0F_X0E.pdf (677,261 bytes)
cap-blank_X0F_X0E.pdf (602,157 bytes)

L10N

2018-12-14 13:11

reporter   ~0005712

I tested CAcert_Root_Certificates_X0F_X0E.zip
- on Windows 10 Pro, version 1803: unzip, start, there was a warning with a button to abort, i clicked on more information to see another button to proceed anyay, what I did. The I uninstalled the root certs. It finished with an error message :"Error." and two buttons: Yes, No. I clicked on Yes, closed the installer.
I restarted the installer. As there were no more CAcert roots certs installed, a window asked me to accept the root distribution license. I did, installation was successfull.

- on Windows 7 Starter 6.1 version 7601: Start the installer, security warning, accept licencese, install process with an window telling me information about the cert beeing installed. clicked OK. installation was successfull

L10N

2018-12-14 14:39

reporter   ~0005713

Aleš wrote (by mail): "It’s better to install the roots as anybody with the Administrator’s rights, The Yes-No dialog then will not appear, I guess."

As I have no admin rights on my emplyers PC, I cannot re-test it this way.

Ted

2018-12-16 21:40

administrator   ~0005715

New changes are installed on the testserver: Corrected CAcert postal address and format of fingerprints in the CAP forms

bdmc

2019-01-18 21:13

developer   ~0005738

Just examined the test server, and the current version appears correct.

The certificate SHA-256 fingerprints on Page 3, and all four CAP forms, agree in format and content.

The certificate downloaded also appears correct, with the correct serial number and SHA256.

The four CAP forms have the correct mailing address.

alkas

2019-01-21 16:08

manager   ~0005740

The Wiki pages /CapHTML and /CoapHTML contain both old signatures and CAcert's "classical post" address in Australia.

L10N

2019-01-21 22:16

reporter   ~0005741

The Wiki page /CapHTML is updated as follows:
- old Oatley postal address replaced by Murwillumbah address
- new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

The Wiki page /CoapHTML is updated as follows:
- very old Denistone East postal address replaced by Murwillumbah address
- new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

Finterprints added to both forms:
class 1: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
class 3: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0

Ted

2019-02-14 20:43

administrator   ~0005770

merged updated release branch into bug-1305

Ted

2019-02-14 21:23

administrator   ~0005771

Last edited: 2019-02-14 21:24

Karl-Heinz, can you add the SHA1-fingerprints to pages/index/3.php and set CAcert's correct postal address in
www/cap.html.php
www/capnew.php
www/coap.html.php
www/coapnew.php

Though I don't know exactly when these pages are used, we should not have documents with the outdated postal address on the main server.

The c(o)ap* files also miss the SHA1 fingerprint. I'd propose to add them while you are already at it. But that's less important at the moment, if problems (for example with formatting) should occur please just add a note here and concentrate on more important things.

bdmc

2019-03-08 01:24

developer   ~0005780

I have updated the address in all of the above four files.

However, they also appear to contain the SHA1 fingerprints already. Perhaps someone else did that.

Ted

2019-03-12 22:51

administrator   ~0005781

Changes are merged into test-1442 branch and installed on https://test.cacert.org

Ted

2019-03-17 22:28

administrator   ~0005782

Brian, in pages/index/3.php the sha1 checksum is still missing. Can you add it?

bdmc

2019-03-19 18:23

developer   ~0005783

Done and checked in.

Ted

2019-03-31 13:31

administrator   ~0005784

Last edited: 2019-03-31 13:37

Brian pointed me to the GPG signed message on the key download page (pages/index/3.php), which still uses the old fingerprints.

Since at the moment I don't know who may create a new message of this kind (access to the signer machine would probably be needed!) I asked Brian to remove the message from the page.
If we find a way to create a GPG message with the new fingerprints (now or later) it would make sense to add it once more.

The second GPG message is, more or less, a "self signature of the GPG key". While IMHO this is not really useful, does not hurt, so I'd keep it.

bdmc

2019-03-31 14:33

developer   ~0005785

In one of my versions of my "fix," I had removed that heading, but in the final one I had put it back.

It is now moved to within the "commented out section," and a comment has been added, trying to explain what we did.

All checked in.

Ted

2019-03-31 15:07

administrator   ~0005786

Great! I'll have a look at it during the next hours...

Ted

2019-03-31 18:37

administrator   ~0005787

Reviewed commit da4c71a246b80f399f3a12823ac03fa8c40f42bb versus current release commit 8ab79aad9fd3685129060854340dccd5dbf01a1d

Though some formatting problems remain, especially in www/capnew.php the review is PASSED

wytze

2019-04-01 12:46

developer   ~0005788

With respect to https://bugs.cacert.org/view.php?id=1305#c5784:

The procedure for generating these GPG signatures is documented in https://bugs.cacert.org/view.php?id=1254

The script mentioned there was left on the signer after its execution on Nov 11, 2014, and could be run again after installing re-signed certs on the signer. Obviously this does require visit to the signer machine by two critical system administrators and one access engineer.

egal

2019-04-05 20:39

administrator   ~0005790

There are some format issues (especiall in www/capnew.php), but as this CAP-form is (normally) not in use, the review is PASSED.

PGP/GnuPG-signatures are currently commented out, but can be added at a later time (as this requires a visit of the signer, can be done together with another bug).

Ted

2019-04-07 12:43

administrator   ~0005792

Sent patch request to critical team, but without CAcert_Root_Certificates_X0F_X0E.msi, since I don't know how I should review that...

wytze

2019-04-10 10:19

developer   ~0005793

The patches have been installed on the production server on April 10, 2019, including the re-signed root certifcates.
See also the log message sent to the cacert-systemlog mailing list here: https://lists.cacert.org/wws/arc/cacert-systemlog/2019-04/msg00002.html

wytze

2019-04-10 10:21

developer   ~0005794

See note https://bugs.cacert.org/view.php?id=1305#c5793

wytze

2019-04-10 10:30

developer   ~0005795

One thing to note: since the patch has added the re-signed root certificates with new names to the system and left the old root certificates in place under their original names, it is still possible that users and applications retrieve the old root certificates. And observing the Apache2 access log, this is indeed the case -- clearly there are some applications which have
these names/paths built-in. They will not benefit from this patch.
To tackle this problem, one could consider to change the old certificates to copies of their new counterparts, so users and applications will retrieve the new version irrespective of the name/path used.

Ted

2019-04-10 18:54

administrator   ~0005796

According to Wytze's note I re-open this case to create a follup-up patch.

Ted

2019-04-10 19:03

administrator   ~0005797

Last edited: 2019-04-10 19:04

Probably the easiest solution will be to rename the old certificate files to something else (like root_X00.* and class3_XA418A.*) and copy the new files to the old names also. So in the future we'll use root.* and class3.* for the "current" certificates, and in addition make the whole history of certificates available using the names with attached serial numbers.

bdmc

2019-04-11 00:05

developer   ~0005798

As discussed above, I have renamed the old certificate files to include their Serial Numbers in the file name.

I have also copied the current, latest, certificate files to "root.crt" and "class3.crt" to allow for systems that do not properly follow the URI.

bdmc

2019-04-11 00:06

developer   ~0005799

Changed and checked in as per your notes.

alkas

2019-04-11 17:27

manager   ~0005800

I have CAcert to issue a new certificate yesterday evening. I have received the following E-mail then, containing two fingerprints of CAcert root(s?).
The first fingerprint belongs to unknown certificate, and the second fingerprint belongs to the old Class 1 root.
I guess that should be corrected.
----
Hi Aleš,

You can collect your certificate for alkas@volny.cz by going to the following location:

https://www.cacert.org/account.php?id=6&cert=645849

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!

wytze

2019-04-12 08:57

developer   ~0005801

With respect to https://bugs.cacert.org/view.php?id=1305#c5800 :
- the first fingerprint shown is the MD5 fingerprint of the "old" root certificate
- the second fingerprint shown is the SHA1 fingerprint of the "old" root certificate
- clearly these messages should be replaced by:
  SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
  SHA1 fingerprint: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
- the affected source file is CommModule/client.pl

bdmc

2019-04-12 16:16

developer   ~0005802

client.pl has been corrected and checked in.

Ted

2019-04-15 19:52

administrator   ~0005803

Last edited: 2019-04-15 19:53

A grep for the old fingerprints returns more hits in files www/ttp.php, pages/index/3.php and pages/index/16.php. 3.php and 16.php include the fingerprint also in a PGP signed message, which should be commented out completely...

bdmc

2019-04-26 14:08

developer   ~0005804

There is a reference in 16.php to 17.php, which is intended to install the Microsoft Certificate.

Should this be removed?

bdmc

2019-04-26 14:25

developer   ~0005805

Files ttp.php and 16.php have been corrected and checked in.

The reference found in 3.php is inside the commented out message about the GPG signature.

Ted

2019-05-14 20:17

administrator   ~0005809

The fixes of bug-1305 branch have been merged into the (old) testserver. Please try and check if the reported problems of wytze and alkas (and myself) are fixed, and report here!

alkas

2019-05-25 21:03

manager   ~0005810

There are the old fingerprints in letters as this:
--------------------------------------
Hi <user>,

You can collect your certificate for <user-email> by going to the following location:

https://www.cacert.org/account.php?id=15&cert=797035

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!

L10N

2019-05-26 18:18

reporter   ~0005811

Where is the text of this e-mail stored?

GuKKDevel

2019-05-27 08:29

updater   ~0005812

Message comes from -> CommModule/client.pl

GuKKDevel

2019-05-27 08:55

updater   ~0005813

should be correct see https://github.com/CAcertOrg/cacert-devel/blob/bug-1305/CommModule/client.pl

bdmc

2019-05-31 04:40

developer   ~0005814

client.pl should have been corrected in the April 12th check-in.

Ted

2019-07-04 23:05

administrator   ~0005815

After some hassle, the (old) testserver is now running the modified client.pl

I created one certificate, and the mail (on mgr.test.cacert.org:14843) contained the new checksums. It looked acceptable, though not really nice...

Any other test reports?

Ted

2019-09-26 18:28

administrator   ~0005845

I updated https://wiki.cacert.org/Roots/StateOverview to match the current status...

Issue History

Date Modified Username Field Change
2014-09-15 14:07 wytze New Issue
2014-09-15 14:07 wytze File Added: crl-redirect-issue.log
2014-09-15 14:23 wytze Steps to Reproduce Updated
2014-09-15 14:23 wytze Steps to Reproduce Updated
2014-10-03 07:43 wytze Description Updated
2014-10-03 07:44 wytze Description Updated
2014-10-04 09:58 Ruel Print Tag Attached: certificates
2014-10-04 09:58 Ruel Print File Added: Global Sign.p7b
2015-11-25 20:47 INOPIAE Relationship added related to 0001245
2015-11-25 20:47 INOPIAE Relationship deleted related to 0001245
2015-11-25 20:47 INOPIAE Relationship added related to 0001254
2015-11-25 23:53 felixd Note Added: 0005486
2015-12-14 21:58 felixd Note Added: 0005492
2016-02-05 09:50 cilap Note Added: 0005495
2016-03-14 17:00 reinhardm Note Added: 0005512
2017-04-04 16:12 bjobjo Note Added: 0005542
2017-04-04 16:12 bjobjo Priority normal => urgent
2017-04-04 16:12 bjobjo Severity minor => major
2017-04-05 07:54 wytze Assigned To => egal
2018-04-18 21:37 dops Note Added: 0005586
2018-10-31 13:03 GuKKDevel File Added: diff-release-bug-1305
2018-10-31 13:03 GuKKDevel Note Added: 0005628
2018-11-01 05:13 GuKKDevel Status new => needs review & testing
2018-11-01 22:53 Ted Note Added: 0005638
2018-11-07 10:23 GuKKDevel Relationship added related to 0001447
2018-11-07 10:23 GuKKDevel Relationship replaced child of 0001447
2018-11-08 08:58 Ted Note Added: 0005660
2018-11-12 10:06 Ted Note Added: 0005663
2018-11-12 22:04 Ted Note Added: 0005665
2018-11-13 22:54 Ted Note Added: 0005666
2018-11-15 19:21 alkas Note Added: 0005673
2018-11-15 20:23 Ted Status needs review & testing => needs review
2018-11-15 20:23 Ted Note Added: 0005675
2018-11-15 22:14 Ted Assigned To egal => GuKKDevel
2018-11-15 22:14 Ted Status needs review => needs work
2018-11-15 22:14 Ted Note Added: 0005677
2018-11-15 22:14 Ted Note Edited: 0005677
2018-11-16 10:37 GuKKDevel Relationship added related to 0001194
2018-11-16 15:53 GuKKDevel File Added: diff
2018-11-16 15:53 GuKKDevel File Added: CAcert_Root_Certificates_X0F_X0E.msi
2018-11-16 15:53 GuKKDevel Note Added: 0005680
2018-11-16 15:54 GuKKDevel Status needs work => needs review & testing
2018-11-18 00:43 alkas File Added: CAcert_chain_X0F_X0E.pem
2018-11-18 00:43 alkas File Added: cacert-bundle_X0F_X0E.crt
2018-11-18 00:43 alkas Note Added: 0005683
2018-11-19 22:54 Ted Note Added: 0005686
2018-11-23 20:59 Ted Note Added: 0005687
2018-11-24 08:22 wytze Note Added: 0005688
2018-11-28 11:21 Ted Note Added: 0005690
2018-11-30 13:16 GuKKDevel Note Added: 0005691
2018-12-02 08:10 wytze Note Added: 0005692
2018-12-02 10:55 GuKKDevel Note View State: 0005691: private
2018-12-02 10:55 GuKKDevel Note View State: 0005691: public
2018-12-03 20:25 Ted Note Added: 0005693
2018-12-03 20:36 Ted Note Added: 0005694
2018-12-03 20:40 jandd Note Added: 0005695
2018-12-03 21:36 alkas File Added: Poznámka 2018-12-03 223514.jpg
2018-12-03 21:36 alkas Note Added: 0005698
2018-12-07 12:27 GuKKDevel Note Added: 0005699
2018-12-07 22:48 Ted Note Added: 0005700
2018-12-10 13:13 GuKKDevel Note Added: 0005701
2018-12-12 19:38 Ted Note Added: 0005702
2018-12-13 15:28 bdmc Note Added: 0005703
2018-12-13 15:29 bdmc Note Added: 0005704
2018-12-13 15:31 bdmc Note Added: 0005705
2018-12-13 21:57 kronenpj Note Added: 0005706
2018-12-13 22:03 L10N Note Added: 0005707
2018-12-13 22:59 L10N Note Added: 0005708
2018-12-14 11:39 GuKKDevel Note Added: 0005709
2018-12-14 12:30 alkas File Added: CAcert_Root_Certificates_X0F_X0E.zip
2018-12-14 12:30 alkas File Added: cap_X0F_X0E.docx
2018-12-14 12:30 alkas File Added: cap-blank_X0F_X0E.docx
2018-12-14 12:30 alkas Note Added: 0005710
2018-12-14 12:47 alkas File Added: cap_X0F_X0E.pdf
2018-12-14 12:47 alkas File Added: cap-blank_X0F_X0E.pdf
2018-12-14 12:47 alkas Note Added: 0005711
2018-12-14 13:11 L10N Note Added: 0005712
2018-12-14 14:39 L10N Note Added: 0005713
2018-12-16 21:40 Ted Note Added: 0005715
2019-01-18 21:13 bdmc Note Added: 0005738
2019-01-21 16:08 alkas Note Added: 0005740
2019-01-21 22:16 L10N Note Added: 0005741
2019-02-14 20:43 Ted Note Added: 0005770
2019-02-14 20:43 Ted Assigned To GuKKDevel => Ted
2019-02-14 20:57 Ted Assigned To Ted => GuKKDevel
2019-02-14 21:23 Ted Note Added: 0005771
2019-02-14 21:24 Ted Note Edited: 0005771
2019-02-28 10:02 GuKKDevel Assigned To GuKKDevel => wytze
2019-02-28 10:03 GuKKDevel Assigned To wytze => bdmc
2019-03-08 01:24 bdmc Note Added: 0005780
2019-03-12 22:51 Ted Note Added: 0005781
2019-03-17 22:28 Ted Note Added: 0005782
2019-03-19 18:23 bdmc Note Added: 0005783
2019-03-31 13:31 Ted Note Added: 0005784
2019-03-31 13:37 Ted Note Edited: 0005784
2019-03-31 14:33 bdmc Note Added: 0005785
2019-03-31 15:07 Ted Note Added: 0005786
2019-03-31 18:37 Ted Assigned To bdmc => egal
2019-03-31 18:37 Ted Status needs review & testing => needs review
2019-03-31 18:37 Ted Note Added: 0005787
2019-03-31 18:38 Ted Reviewed by => Ted
2019-04-01 12:46 wytze Note Added: 0005788
2019-04-05 20:39 egal Note Added: 0005790
2019-04-05 20:41 egal Status needs review => ready to deploy
2019-04-05 20:41 egal Reviewed by Ted => dastrath, Ted
2019-04-05 20:55 Ted Assigned To egal => Ted
2019-04-07 12:43 Ted Note Added: 0005792
2019-04-10 10:19 wytze Note Added: 0005793
2019-04-10 10:21 wytze Status ready to deploy => solved?
2019-04-10 10:21 wytze Resolution open => fixed
2019-04-10 10:21 wytze Note Added: 0005794
2019-04-10 10:30 wytze Note Added: 0005795
2019-04-10 18:54 Ted Status solved? => needs work
2019-04-10 18:54 Ted Note Added: 0005796
2019-04-10 19:03 Ted Note Added: 0005797
2019-04-10 19:04 Ted Note Edited: 0005797
2019-04-11 00:05 bdmc Note Added: 0005798
2019-04-11 00:06 bdmc Status needs work => needs review & testing
2019-04-11 00:06 bdmc Note Added: 0005799
2019-04-11 17:27 alkas Note Added: 0005800
2019-04-12 08:57 wytze Note Added: 0005801
2019-04-12 16:16 bdmc Note Added: 0005802
2019-04-15 19:52 Ted Note Added: 0005803
2019-04-15 19:53 Ted Assigned To Ted => bdmc
2019-04-15 19:53 Ted Note Edited: 0005803
2019-04-26 14:08 bdmc Note Added: 0005804
2019-04-26 14:25 bdmc Note Added: 0005805
2019-04-26 14:25 bdmc Assigned To bdmc => Ted
2019-05-14 20:17 Ted Note Added: 0005809
2019-05-25 21:03 alkas Note Added: 0005810
2019-05-26 18:18 L10N Note Added: 0005811
2019-05-27 08:29 GuKKDevel Note Added: 0005812
2019-05-27 08:55 GuKKDevel Note Added: 0005813
2019-05-31 04:40 bdmc Note Added: 0005814
2019-07-04 23:05 Ted Note Added: 0005815
2019-09-26 18:28 Ted Note Added: 0005845
2021-08-05 17:49 Ted Relationship added related to 0001533