View Issue Details

IDProjectCategoryView StatusLast Update
0001305Main CAcert Websitecertificate issuingpublic2019-07-04 23:05
ReporterwytzeAssigned ToTed 
PriorityurgentSeveritymajorReproducibilityalways
Status needs review & testingResolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Product Version2014 Q3 
Target VersionFixed in Version 
Summary0001305: CAcert Class1 root certificate needs to be reissued with an updated CDP and a SHA-based signature
DescriptionThe CAcert Class1 root certificate (THE CAcert root) is suffering from two operational problems:

1. The CDP (CRL Distribition Point) listed in the root cert is
        https://www.cacert.org/revoke.crl
But since we do not want to distribute the (huge) CRL through our main web server but rather through a specialized CRL server, the main web server is redirecting all requests for the above URL to http://crl.cacert.org. It turns out that some validation software, for example Microsoft's CryptoAPI, is unable to deal with such HTTP redirects, and reports a verification failure.

Also, the use of HTTPS in the CDP is *not* recommended, see RFC5280 http://tools.ietf.org/html/rfc5280, in the section Security Considerations:
   When certificates include a cRLDistributionPoints extension with an
   https URI or similar scheme, circular dependencies can be introduced.
   The relying party is forced to perform an additional path validation
   in order to obtain the CRL required to complete the initial path
   validation! Circular conditions can also be created with an https
   URI (or similar scheme) in the authorityInfoAccess or
   subjectInfoAccess extensions. At worst, this situation can create
   unresolvable dependencies.

So the CDP should be http://crl.cacert.org/revoke.crl.

2. The current root cert is signed with a MD5 hash. While from a security point of view, the quality of the hash algorithm used for such a trusted cert does not matter, from time to time rumours and sometimes even software appear which choke about this. A SHA-256 based signature would kill all such issues right away.

Steps To ReproduceIssue 1 can be demonstrated with a command like this on a Windows 7 system:
     certutil -f -verify -urlfetch server.crt
for some CAcert Class3 issued server certificate. Output of the above command has been added as attachment to this bug entry.

Issue 2 is demonstrated somewhat by the currently open Bugzilla issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1058812
Additional InformationThe CAcert Class3 intermediate root certificate has been resigned in 2011 to deal with the MD5 issue (for this cert, being intermediate, it was truly a blocking problem). A similar procedure could be used to resign the CAcert Class1 root. This will likely be a much faster process than waiting for the results of the NRE (New Roots & Escrow) project.
Tagscertificates
Reviewed bydastrath, Ted
Test Instructions

Relationships

related to 0001254 fix availableBenBE Update the signed PGP-Message containing the fingerprints of CAcert 
related to 0001194 needs workNEOatNHNG Root certificate installer MSI package fails on Windows 8 
child of 0001447 new Cannot access main cacert website 

Activities

wytze

2014-09-15 14:07

developer  

crl-redirect-issue.log (5,274 bytes)

Ruel Print

2014-10-04 09:58

reporter  

Global Sign.p7b (936 bytes)

felixd

2015-11-25 23:53

updater   ~0005486

There exists a procedure now that will fix this problem:
https://github.com/CAcertOrg/cacert-procedures/tree/master/rootResignSHA256

It was executed on test data on the FrosCON.
The following Audit report documents this execution:
https://wiki.cacert.org/Audit/Results/session2015.4

Currently the resulting files (re-singed test certificate, intermediate files, etc) are kept with Board that should soon release them to the public.

Therefore we should soon (after enough review) be good to go for the real certificate.

felixd

2015-12-14 21:58

updater   ~0005492

We noticed problems related to keeping the serial of the Certificate. We therefore need to adjust the serial number to circumvent "reused issuer and serial"-errors when the Browser has both certificates (i.e. one installed and the other via the SSL Handshake)

I therefore propose:
https://github.com/yellowant/cacert-procedures/commit/a73faf1dbd8d88ebc490bd182db8c4c9e0dccaf2

cilap

2016-02-05 09:50

reporter   ~0005495

the issue has more pressure in the meanwhile.

On Java and Eclipse I am getting:
svn: E175002: SSL handshake failed: 'java.security.cert.CertificateException: Certificates does not conform to algorithm constraints'

Since oracle has enforced the default handling of rejecting MD2 and MD5 certificates, any SSL connection on Ubuntu 14.04 is failing in combination with a Java VM.
Sadly the implementation is so stupid, that all certificates are getting read in added to the trust store during first connection. And all certificates are checked, not only the once which should be checked on the chain from the server cert up to the root.

Is there any plan on reissuing the root certificate with a SHA fingerprint and to get rid of MD5withRSA

A workaround - but only working till next java update - is to change

vi /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security

and to change to this:

#jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

But this is from security perspective not really nice, that CaCert is still working on his root cert on a "obsoleted" algorithm.

Hope I could help some guys with my report and the workaround description

reinhardm

2016-03-14 17:00

updater   ~0005512

Today I added the new roots into the browser.
I am running OpenSUSE and firefox. The roots installed by a mouseckick with no problems. I tried several logins where certificate login is required. All woreked well.
I removed the old roots and made a login to https://bugs.cacert.org with no problems.
I will try further on different browsers and OS versions.

bjobjo

2017-04-04 16:12

reporter   ~0005542

Hello,
I increased the priority and severity.
Firefox is not accepting any more the Root Certificate, so we have to add an exception for every site that uses CA Cert Authority.

The ticket was opened in 2014 and we still don't have a new root cert.

The whole reputation of CAcert is in danger if the root certs are not secure.

Please do urgently fix this.
Current firefox message for example:

wiki.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

dops

2018-04-18 21:37

reporter   ~0005586

New signed roots are tested on multiple platforms, see here: https://lists.cacert.org/wws/arc/cacert-board/2018-04/msg00014.html
Some people reported to use the certificates for years without any problems.

Any person left in the software team is welcome to announce where people can continue working.

GuKKDevel

2018-10-31 13:03

updater   ~0005628

a diff we started in Feb 2017 (Dirk, Aleš, and me)

diff-release-bug-1305 (25,355 bytes)
diff --git a/pages/index/3.php b/pages/index/3.php
index af0c0f3..f060c8f 100644
--- a/pages/index/3.php
+++ b/pages/index/3.php
@@ -18,37 +18,6 @@
 
 <p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p>
 
-<h1><?=_("re-signed versions from 2016 - ")?><a href="https://blog.cacert.org/2016/03/successful-root-re-sign/"><?=_("see blog")?></a></h1>
-<br>
-
-<h3><?=_("Windows Installer") ?></h3>
-<ul class="no_indent">
-	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_256.msi">', '</a>', '<br/>')?></li>
-	<li><?=_("SHA1 Hash:") ?> f27e06391e5cfd87200baa1a0f674a9725516a4f</li>
-	<li><?=_("SHA256 Hash:") ?> 412c5fa846da64a80148f788b5bb0b70517d6f12bfb133ae6a87cc6bd1921b90</li>
-</ul>
-
-<h3><?=_("Class 1 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/root_256.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/root_256.der"><?=_("Root Certificate (DER Format)")?></a></li>
-	<li><a href="certs/root_256.txt"><?=_("Root Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li>
-	<li><?=_("SHA256 fingerprint:")?> 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5</li>
-</ul>
-
-<h3><?=_("Class 3 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/class3_256.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/class3_256.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
-	<li><a href="certs/class3_256.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li>
-	<li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li>
-</ul>
-
-<h1><?=_("old versions")?></h1>
-<br>
-
 <h3><?=_("Windows Installer") ?></h3>
 <ul class="no_indent">
 	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates.msi">', '</a>', '<br/>')?></li>
diff --git a/www/certs/CAcert_Root_Certificates_256.msi b/www/certs/CAcert_Root_Certificates_256.msi
deleted file mode 100644
index e94d8fc..0000000
Binary files a/www/certs/CAcert_Root_Certificates_256.msi and /dev/null differ
diff --git a/www/certs/class3_256.crt b/www/certs/class3_256.crt
deleted file mode 100644
index d358c12..0000000
--- a/www/certs/class3_256.crt
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS
-BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
-cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
-4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
-Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
-0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
-FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
-bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
-SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
-6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
-m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
-eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
-kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
-6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G
-A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw
-Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl
-cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH
-AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI
-AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw
-UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
-RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1
-MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ
-vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP
-3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU
-0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69
-6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa
-hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp
-9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl
-0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8
-spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt
-Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0
-ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2
-p4wTyVBIM8hjrLcKiChF43GRJtne7w==
------END CERTIFICATE-----
diff --git a/www/certs/class3_256.der b/www/certs/class3_256.der
deleted file mode 100644
index 417b714..0000000
Binary files a/www/certs/class3_256.der and /dev/null differ
diff --git a/www/certs/class3_256.txt b/www/certs/class3_256.txt
deleted file mode 100644
index 1b096b0..0000000
--- a/www/certs/class3_256.txt
+++ /dev/null
@@ -1,142 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 14 (0xe)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-        Validity
-            Not Before: May 23 17:48:02 2011 GMT
-            Not After : May 20 17:48:02 2021 GMT
-        Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
-                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
-                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
-                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
-                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
-                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
-                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
-                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
-                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
-                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
-                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
-                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
-                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
-                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
-                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
-                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
-                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
-                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
-                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
-                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
-                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
-                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
-                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
-                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
-                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
-                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
-                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
-                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
-                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
-                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
-                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
-                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
-                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
-                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
-                    05:fb:e9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.CAcert.org/
-                CA Issuers - URI:http://www.CAcert.org/ca.crt
-
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.18506
-                  CPS: http://www.CAcert.org/index.php?id=10
-
-            Netscape CA Policy Url: 
-                http://www.CAcert.org/index.php?id=10
-            Netscape Comment: 
-                To get your own certificate for FREE, go to http://www.CAcert.org
-            X509v3 Authority Key Identifier: 
-                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a:
-         a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7:
-         8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29:
-         5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78:
-         7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86:
-         e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e:
-         99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b:
-         99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84:
-         20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06:
-         36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f:
-         6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d:
-         a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77:
-         4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95:
-         b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a:
-         c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8:
-         7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b:
-         20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48:
-         93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce:
-         90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d:
-         2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a:
-         38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26:
-         a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a:
-         75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4:
-         e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db:
-         24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7:
-         16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8:
-         9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57:
-         79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28:
-         45:e3:71:91:26:d9:de:ef
------BEGIN CERTIFICATE-----
-MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
-b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
-Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
-dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
-MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
-Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
-iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
-aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
-jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
-pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
-FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
-XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
-oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
-R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
-rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
-LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
-BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
-gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
-BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
-A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
-c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
-AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
-BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
-MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
-Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
-ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
-b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
-QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
-7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
-Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
-D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
-VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
-lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
-Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
-hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
-0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
-ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
-d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
-4GGSt/M3mMS+lqO3ig==
------END CERTIFICATE-----
diff --git a/www/certs/root_256.crt b/www/certs/root_256.crt
deleted file mode 100644
index 8ef0716..0000000
--- a/www/certs/root_256.crt
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
-BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
-MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
-ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
-8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
-zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
-fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
-w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
-G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
-epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
-laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
-QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
-fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
-YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w
-ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD
-AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu
-cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm
-aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y
-ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl
-LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y
-ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
-c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN
-BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q
-Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja
-JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9
-4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6
-cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i
-vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe
-+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h
-JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx
-XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN
-aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n
-1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr
-Gwc=
------END CERTIFICATE-----
diff --git a/www/certs/root_256.der b/www/certs/root_256.der
deleted file mode 100644
index e827487..0000000
Binary files a/www/certs/root_256.der and /dev/null differ
diff --git a/www/certs/root_256.txt b/www/certs/root_256.txt
deleted file mode 100644
index 428e0bc..0000000
--- a/www/certs/root_256.txt
+++ /dev/null
@@ -1,142 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 15 (0xf)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-        Validity
-            Not Before: Mar 30 12:29:49 2003 GMT
-            Not After : Mar 29 12:29:49 2033 GMT
-        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
-                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
-                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
-                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
-                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
-                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
-                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
-                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
-                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
-                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
-                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
-                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
-                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
-                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
-                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
-                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
-                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
-                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
-                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
-                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
-                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
-                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
-                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
-                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
-                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
-                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
-                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
-                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
-                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
-                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
-                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
-                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
-                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
-                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
-                    e5:a1:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            Netscape CA Policy Url: 
-                http://www.cacert.org/index.php?id=10
-            Netscape Comment: 
-                To get your own certificate for FREE head over to http://www.cacert.org
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.cacert.org/revoke.crl
-
-            Netscape CA Revocation Url: 
-                URI:http://crl.cacert.org/revoke.crl
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.cacert.org
-
-            X509v3 Authority Key Identifier: 
-                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         47:9c:d7:b3:a2:17:d3:52:53:b7:b4:6a:dd:bf:9b:35:15:21:
-         6c:ef:6f:18:13:20:81:cc:e8:ed:1d:2a:22:1d:64:76:14:ba:
-         5b:37:2b:0e:83:ba:3e:4a:6e:46:0d:0b:de:a3:3b:61:00:7a:
-         a7:0d:95:fa:e6:f3:17:bc:65:e0:2d:07:5a:5b:5f:cc:f4:db:
-         cc:01:dd:26:d8:da:25:0c:3b:41:a0:65:98:06:29:37:60:8b:
-         07:a2:5e:83:ca:bf:d5:7a:60:77:0f:fe:20:fd:46:47:07:60:
-         ef:15:29:45:e5:00:e3:cd:a5:e0:c1:f5:91:fd:16:d1:a7:7d:
-         e1:2b:88:7c:d5:90:1d:c7:4b:02:99:a7:a3:f4:94:87:56:e9:
-         67:27:96:ac:c9:e5:86:41:8d:0c:a3:31:08:24:17:43:7e:b4:
-         4f:01:47:73:c7:5f:10:06:aa:e6:bc:ba:71:9c:e6:d6:87:ad:
-         ae:44:af:88:4d:aa:a1:fc:6f:bf:55:45:89:0f:bd:4d:7d:ff:
-         ce:41:02:0a:c5:01:fc:48:cf:33:49:71:14:19:ae:f5:3e:48:
-         87:e1:2a:9e:cf:62:be:6a:c4:21:00:ef:f6:d3:72:24:7b:8b:
-         b0:33:6a:6d:40:5a:97:b3:a8:88:f6:67:5e:4f:4b:1f:ea:9b:
-         fa:92:df:d6:87:ef:e6:7a:32:e6:f5:f6:6b:93:8a:79:b1:de:
-         fb:41:31:fc:0e:de:f8:6f:c7:b8:e8:d5:36:a8:59:f6:3e:4d:
-         8a:ca:5f:ab:dc:cd:c8:e1:c6:58:3f:28:7e:3f:03:1f:00:79:
-         d0:bd:57:87:91:fe:11:b2:28:81:af:e1:24:24:27:46:dc:56:
-         90:73:fa:f7:d4:f5:26:92:c5:63:06:a9:82:99:62:bc:5e:13:
-         16:fe:1f:aa:9d:27:1d:32:82:d7:1f:60:1a:b2:20:be:e6:09:
-         97:5b:71:20:a9:b1:5d:d7:c9:ce:0b:1c:33:3a:a9:69:b8:6d:
-         1c:e3:17:3a:2c:10:06:95:b3:c8:99:28:7c:5f:f0:e7:97:b4:
-         2e:db:59:0c:19:04:b2:29:55:fe:f5:b4:08:9b:0f:b3:77:8d:
-         69:01:7e:88:c5:ac:70:63:a4:80:b1:65:5a:c0:12:dc:7c:32:
-         89:82:cd:26:8d:ba:6a:ac:96:3d:a2:1d:73:c1:38:72:4e:d2:
-         93:4f:16:ac:5a:c7:20:ad:c4:1e:be:27:d4:56:70:98:ba:45:
-         02:fb:9c:2a:a8:25:d2:1a:fe:da:3c:a9:ca:1e:69:b8:0d:ca:
-         92:c1:c5:dc:2b:14:ce:33:14:bf:3c:4c:87:29:21:f7:3a:cc:
-         c5:00:07:2c:15:6b:1b:07
------BEGIN CERTIFICATE-----
-MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
-BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
-MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
-ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
-8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
-zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
-fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
-w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
-G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
-epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
-laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
-QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
-fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
-YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w
-ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD
-AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu
-cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm
-aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y
-ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl
-LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y
-ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
-c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN
-BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q
-Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja
-JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9
-4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6
-cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i
-vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe
-+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h
-JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx
-XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN
-aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n
-1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr
-Gwc=
------END CERTIFICATE-----
diff-release-bug-1305 (25,355 bytes)

Ted

2018-11-01 22:53

administrator   ~0005638

Golffies left a review at https://github.com/CAcertOrg/cacert-devel/pull/9#pullrequestreview-170861329

Ted

2018-11-08 08:58

administrator   ~0005660

Benedikt (who was internal Auditor in 2016) has confirmed that the following certificates are the correct ones:

Root:
Serial 0000015
finger print: 07ed bd82 4a49 88cf ef42 15da 20d4 8c2b 41d7 1529 d7c9 00f5 7092
6f27 7cc2 30c5
file:
http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new1.txt

Class 3:
Serial 0000014
finger print: f687 3d70 d675 96c2 acba 3440 1e69 738b 5270 1dd6 ab06 b497 49bc
5515 0936 d544
file:
http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new3.text

Ted

2018-11-12 10:06

administrator   ~0005663

Benedikt also confirms that from his Point of View the incident during the re-signing ceremony had no influence on the "trustworthyness" of the keys/certificates.

So, even if there were an Arbitration case about the details of the re-signing ceremony (I did not find one yet), I don't see any reason why the re-signed certificates should not be installed.

Ted

2018-11-12 22:04

administrator   ~0005665

As part of the review process I checked the differences between the "old" and the "new" root certificates:

1. Serial number: Old 0x0, New 0xf
2. Signature Algorithm: Old md5WithRSAEncryption, New: sha256WithRSAEncryption
3. X509v3 Authority Key Identifier: Old contains keyid, DirName and serial, New contains only keyid
4. X509v3 CRL Distribution Points: Old URI:https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
5. Netscape CA Revocation Url: Old https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
6. Authority Information Access: Old (not present), New OCSP - URI:http://ocsp.cacert.org
7. The signature obviously differs

Since there is no specification document about the intention of these changes I can only check for harmful side effects and guess about the intentions.

2. and 7. are obviously intended, these are direct concequences of using a different signing alhorithm

1. Is a side effect of re-signing. Since RFC5280 requires that "[The serial number] MUST be unique for each certificate issued by a given CA" the serial number cannot be the same as in the old certificate. The exact value of the new serial number is not critical, as long as it remains unique.

4., 5. and 6. have probably been adjusted to the value which is included in currently issued "normal" certificates. Using http over https to retrieve the CRL makes more sense since the crl itself is signed.

I'm not sure about 3. https://tools.ietf.org/html/rfc5280#section-5.2.1 does not address using the issuer DN in the X509v3 Authority Key Identifier. Current versions of OpenSSL add it only "if the keyid option fails or is not included" (https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html), which is obviously not the case here.
So I guess the issuer DN in Authority Key Identifier is just not used anymore in current software.

Ted

2018-11-13 22:54

administrator   ~0005666

Wytze has provided a pointer to https://github.com/BenBE/cacert-procedures/blob/root-resign-sha256/rootResignSHA256/procedure.txt

While it does not explain the reasons, it makes clear that the observed changes are intentional.

An additional mail provided by Wytze plausibly explains the reasons of removing issuer and serial from X509v3 Authority Key Identifier. Specifically the serial number must be removed (or adjusted), since the new roots will have different serial numbers, so the serial in Authority Key Identifier would otherwise break the certificate chain.

alkas

2018-11-15 19:21

reporter   ~0005673

The difference between CAcert Class 3 Root #A418A and CAcert Class 3 Root #0E

Serial number A418A 0E
Signature 29:28:85:ae:44:a9:b9:af:a4... 5a:90:16:d0:36:23:56:64:95...
X509v3 Extensions:
 X509v3 Authority Key Identifier:
  keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
  DirName:/O=Root CA ---
          /OU=http://www.cacert.org
          /CN=CA Cert Signing Authority
          /emailAddress=support@cacert.org
  serial:00

Thus, only #A418A contains the serial number of CAcert Class 1 root # 00.
If the Class 3 Root #0E is used, there is only the http link in the following attribute (identical in both Class 3 roots):
X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access:
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt
(where the file ca.crt contains the Class 1 Root #00)

Now, if the Class 3 Root #0E is used, and the file ca.crt is replaced by Class 1 Root #0F (SHA256 signed),
the Class 3 Root is no more tied with the specific (#00) Class 1 Root.
I have tried this certificate chain on my local network with 2 Web servers, no problems.
The chain is: CAcert Class 1 Root #0F +--> CAcert Class 3 Root #0E --> any certificate issued by Class 3 Root
                                                                  +--> any certificate issued by Class 1 Root
Issued client/server certificates do not contain any serial # of signing root(s).

Do anybody knows any objections against this concept?

Ted

2018-11-15 20:23

administrator   ~0005675

Hi alkas,

you are completely right, and were just a little bit faster than me in documenting this facts. :-)

As I found out while digging through the documentation, this issue has already been noticed during the tests in 2016, it just was not documented here in the bugtracker, but in some external documents.

Since the issue has been tested in 2016, and the whole thing is quite plausible, once someone explains it to you :-), I don't consider it essential to redo all the tests.

Of course you are nevertheless welcome to replicate the tests and report the results here. But IMHO this is not blocking the continuation of the review.

Ted

2018-11-15 22:14

administrator   ~0005677

Last edited: 2018-11-15 22:14

View 2 revisions

I had a look at the code changes in the bug-1305 branch from GitHub, and I'd propose a few changes:

* Remove the Windows Installer file CAcert_Root_Certificates_256.msi and the section referring to it. See my mail to the development list for detailed reasons.
* Remove the sections of the "old versions". The history of the root keys is documented in the WiKi page https://wiki.cacert.org/Roots/StateOverview

Of course the WiKi page has to be updated once we roll out bug-1305.

GuKKDevel

2018-11-16 15:53

updater   ~0005680

certificates were renamed to correspond to their version, new .msi-installer was added, page to download (pages/index/3.php) was changed to access the new certificates

diff (6,678 bytes)
commit 37f1c36f3b13c7efa975ad351f2fde8dd4cbecae
Author: Karl-Heinz Gödderz (GuKKDevel) <Devel@GuKK-Online.de>
Date:   Fri Nov 16 16:35:36 2018 +0100

    Bug 1305; new cerificates; rename certificates to corresponding version;
    changing pages/index/3 to access the new certs

diff --git a/pages/index/3.php b/pages/index/3.php
index af0c0f3..6c6ef80 100644
--- a/pages/index/3.php
+++ b/pages/index/3.php
@@ -18,66 +18,28 @@
 
 <p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p>
 
-<h1><?=_("re-signed versions from 2016 - ")?><a href="https://blog.cacert.org/2016/03/successful-root-re-sign/"><?=_("see blog")?></a></h1>
-<br>
-
 <h3><?=_("Windows Installer") ?></h3>
 <ul class="no_indent">
-	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_256.msi">', '</a>', '<br/>')?></li>
-	<li><?=_("SHA1 Hash:") ?> f27e06391e5cfd87200baa1a0f674a9725516a4f</li>
-	<li><?=_("SHA256 Hash:") ?> 412c5fa846da64a80148f788b5bb0b70517d6f12bfb133ae6a87cc6bd1921b90</li>
+	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_X0F_X0E.msi">', '</a>', '<br/>')?></li>
+	<li><?=_("SHA256 Hash:") ?> 0A87 5483 1472 4971 DB5C 85AF 5B01 92E5 2325 259A 1485 1CEF 4AB9 02EC 70BF A5D5</li>
 </ul>
 
 <h3><?=_("Class 1 PKI Key")?></h3>
 <ul class="no_indent">
-	<li><a href="certs/root_256.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/root_256.der"><?=_("Root Certificate (DER Format)")?></a></li>
-	<li><a href="certs/root_256.txt"><?=_("Root Certificate (Text Format)")?></a></li>
+	<li><a href="certs/root_X0F.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
+	<li><a href="certs/root_X0F.der"><?=_("Root Certificate (DER Format)")?></a></li>
+	<li><a href="certs/root_X0F.txt"><?=_("Root Certificate (Text Format)")?></a></li>
 	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li>
 	<li><?=_("SHA256 fingerprint:")?> 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5</li>
 </ul>
 
 <h3><?=_("Class 3 PKI Key")?></h3>
 <ul class="no_indent">
-	<li><a href="certs/class3_256.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/class3_256.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
-	<li><a href="certs/class3_256.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
+	<li><a href="certs/class3_X0E.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
+	<li><a href="certs/class3_X0E.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
+	<li><a href="certs/class3_X0E.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
 	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li>
-	<li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li>
-</ul>
-
-<h1><?=_("old versions")?></h1>
-<br>
-
-<h3><?=_("Windows Installer") ?></h3>
-<ul class="no_indent">
-	<li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates.msi">', '</a>', '<br/>')?></li>
-	<li><?=_("SHA1 Hash:") ?> 2db1957db31aa0d778d1a65ea146760ee1e67611</li>
-	<li><?=_("SHA256 Hash:") ?> 88883f2e3117bae6f43922fbaef8501b94efe4143c12116244ca5d0c23bcbb16</li>
-</ul>
-
-<h3><?=_("Class 1 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/root.crt"><?=_("Root Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/root.der"><?=_("Root Certificate (DER Format)")?></a></li>
-	<li><a href="certs/root.txt"><?=_("Root Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li>
-	<li><?=_("SHA1 Fingerprint:")?> 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33</li>
-	<li><?=_("MD5 Fingerprint:")?> A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B</li>
-</ul>
-
-<h3><?=_("Class 3 PKI Key")?></h3>
-<ul class="no_indent">
-	<li><a href="certs/class3.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li>
-	<li><a href="certs/class3.der"><?=_("Intermediate Certificate (DER Format)")?></a></li>
-	<li><a href="certs/class3.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li>
-	<li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li>
-<?php /*
-  class3 subroot fingerprint updated: 2011-05-23  class3 Re-sign project
-  https://wiki.cacert.org/Roots/Class3ResignProcedure/Migration
-*/ ?>
-	<li><?=_("SHA1 Fingerprint:")?> AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE</li>
-	<li><?=_("MD5 Fingerprint:")?> F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42</li>
+    <li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li>
 </ul>
 
 <h3><?=_("GPG Key")?></h3>
diff --git a/www/certs/CAcert_Root_Certificates_256.msi b/www/certs/CAcert_Root_Certificates_X0F_X0E.msi
similarity index 99%
rename from www/certs/CAcert_Root_Certificates_256.msi
rename to www/certs/CAcert_Root_Certificates_X0F_X0E.msi
index e94d8fc..19f2593 100644
Binary files a/www/certs/CAcert_Root_Certificates_256.msi and b/www/certs/CAcert_Root_Certificates_X0F_X0E.msi differ
diff --git a/www/certs/class3_256.crt b/www/certs/class3_X0E.crt
similarity index 100%
rename from www/certs/class3_256.crt
rename to www/certs/class3_X0E.crt
diff --git a/www/certs/class3_256.der b/www/certs/class3_X0E.der
similarity index 100%
rename from www/certs/class3_256.der
rename to www/certs/class3_X0E.der
diff --git a/www/certs/class3_256.txt b/www/certs/class3_X0E.txt
similarity index 100%
rename from www/certs/class3_256.txt
rename to www/certs/class3_X0E.txt
diff --git a/www/certs/root_256.crt b/www/certs/root_X0F.crt
similarity index 100%
rename from www/certs/root_256.crt
rename to www/certs/root_X0F.crt
diff --git a/www/certs/root_256.der b/www/certs/root_X0F.der
similarity index 100%
rename from www/certs/root_256.der
rename to www/certs/root_X0F.der
diff --git a/www/certs/root_256.txt b/www/certs/root_X0F.txt
similarity index 100%
rename from www/certs/root_256.txt
rename to www/certs/root_X0F.txt
diff (6,678 bytes)
CAcert_Root_Certificates_X0F_X0E.msi (1,593,344 bytes)

alkas

2018-11-18 00:43

reporter   ~0005683

Two more formats:

CAcert_chain_X0F_X0E.pem (7,503 bytes)
cacert-bundle_X0F_X0E.crt (16,180 bytes)

Ted

2018-11-19 22:54

administrator   ~0005686

GuKKDevel: The fingerprints in the CAP and COAP forms have to be adjusted to the new root certs. See www/cap* and www/coap*

I'd propose to add a "(since 2019)" text beside the fingerprints, so people may get the idea that the change was intentional...

If you want to discuss this drop a message to the development list.

Ted

2018-11-23 20:59

administrator   ~0005687

Mental note: The updated certificates have to be installed on the signer machine also!

wytze

2018-11-24 08:22

developer   ~0005688

With respect to note https://bugs.cacert.org/view.php?id=1305#c5687 :
I agree that for consistency the updated root certificates should also be installed on the signer machine, but please note that for the operation of the signer this does not make any difference. The certificates issued by the signer only depend on the ssl configuration files and the root private key; the root certificate has no influence on this. The practical consequence of this is that installation of the updated root certificates can be postponed (or advanced) to a convenient moment (i.e. the need for other maintenance on the signing server), and does not have to be coordinated with the publication/installation of the updated roots on the webdb server.

Ted

2018-11-28 11:21

administrator   ~0005690

GuKK: I merged your changes (only the cap*/coap*-Files) into the test-1260 branch which is installed on the testserver.

Now you can open the CAP forms in the testserver, and you'll see the next problem: The SHA256 checksums are considerably longer than the old MD5 ones.

So we'll probably need them on two lines. But then we have to make sure that the resulting form still fits one A4 / Letter page (at least when using the english form)... So, probably, you'll have to dig around a bit more... :-(

GuKKDevel

2018-11-30 13:16

updater   ~0005691

worked on cap.php
split fingerprint line into two
form fits to A4 and letter

all other cap*/coap*-files: couldn find a link to them so waiting for answer from Wytze, who designed them.

wytze

2018-12-02 08:10

developer   ~0005692

There appears to be a serious misunderstanding here ... I am *not* the author or designer of the cap/coap files. Inside for example capnew.php you can find a statement about the origin of these files:

/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
** First created: 12 July 2008
** Last change: see Revision date
** Reviews:
** printed text by Ian Grigg and Teus Hagen (July 2008)
** layout/design by Teus Hagen and Johan Vromans (July 2008)
** coding by Teus Hagen and ...

Teus Hagen, former president of CAcert Inc. is the main author as far as I remember, but he is not involved anymore with CAcert. These files were meant as a replacement for the old forms, which are based on software which was already obsolete in 2008, and even more so in 2018. But nobody in software was ever prepared to spend some time to switch over to the new versions. So they are in the source tree, but not actually used.

There is no urgent need to update these files. If someone ever decides to switch over to them, adjusting the fingerprint text will be a minor effort.

By the way, I am kind of surprised that the fingerprint layout issue has been raised. There is no real need to display SHA256 fingerprints rather than SHA1 fingerprints for the new roots, the hash algo for the fingerprint does not need to match the hash algo of the certificate's signature (note that currently they also don't match: MD5 vs SHA1). Just updating the SHA1 fingerprints would have been fine I think.

Ted

2018-12-03 20:25

administrator   ~0005693

Hmm, I checked what I had in easy reach to find out which kind of fingerprint/checksum is shown by different software:
Windows 7: SHA1
Windows 10: SHA256
Firefox: SHA1 & SHA256

So, I guess it's OK to move to SHA256 only fingerprints on the CAP forms...

Ted

2018-12-03 20:36

administrator   ~0005694

GuKK: The PDF in letter format is quite full now... Is it easy to reduce the space above the upper box a bit (maybe half), so there's a bit of reserve at the bottom? Some translations need nore room than the english document...

And, when looking at the german PDF I noticed that at least the CCA agreement term is set in block, which does not look very nice here. It has probably been so forever, but, as above, if it is not much work please change this to ragged margin ("Flattersatz") while we are at it.

Once more, both of these are nice to have. I'd prefer to get the certs online without these changes in December to getting them online with the changes in January...

jandd

2018-12-03 20:40

administrator   ~0005695

openssl 1.1.0g x509 -fingerprint: SHA1
JDK 8 keytool -printcert: SHA1 & SHA256
gnutls 3.5.18 certtool --fingerprint: SHA1

I suggest to put both SHA1 and SHA256 fingerprints on the CAP forms

alkas

2018-12-03 21:36

reporter   ~0005698

AFAIK, Windows 10 shows SHA1 fingerprint, too - in system cert. viewer - mmc, module Certificates, select and open cert., view Details, at the end is Fingerprint.

GuKKDevel

2018-12-07 12:27

updater   ~0005699

Ted: It is designed explicitely to place the two boxes "Applicant's Statement" and "CAcert Assurer" at exact the positions where they are, we shouldn't change that.

The other point: if we make this line two for all languages there is no problem. else I need to find out how to mask a space/blank or we have to change the pootle-files for appening a space to one literal.
I tried some versions a whole day. (I think we should not implement this for the moment)

Ted

2018-12-07 22:48

administrator   ~0005700

As decided on today's meeting (https://wiki.cacert.org/Software/Meeting/20181207) we want to add SHA1 fingerprints.

The rest of the formatting issues is considered low priority.

GuKKDevel

2018-12-10 13:13

updater   ~0005701

ted: fingerprints asre at the CAP-form. please check and if correct add to testserver.

https://github.com/CAcertOrg/cacert-devel/pull/19/commits/ca4e5f03eef4a8a174437fb065a967ce92dab847

Ted

2018-12-12 19:38

administrator   ~0005702

Current changes are installed on the testserver in branch test-1442.

I checked the german and the english PDF, both are OK, the SHA1 fingerprints match with what I get shown on Windows 7.

Now we need at least two test reports of other people (not the developer and the reviewers), so please test the CAP forms on https://test.cacert.org/index.php and leave reports!

bdmc

2018-12-13 15:28

developer   ~0005703

Where do I find documented the appropriate fingerprints for the SHA-256 Root and Class 3 certificates? I would expect them to be noted in this "Bug" documentation, perhaps in the "Instructions for Testers," so that testers could confirm the values found on forms and other places.

bdmc

2018-12-13 15:29

developer   ~0005704

I see on the US-English CAP Form that the address is "Oatley." Is this correct?

bdmc

2018-12-13 15:31

developer   ~0005705

I see the following values on the CAP PDF.

SHA256: root: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
and class3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544

kronenpj

2018-12-13 21:57

reporter   ~0005706

The SHA1 and SHA256 checksums are correctly represented in the CAP files, based on the certificates attached as https://bugs.cacert.org/file_download.php?file_id=452&type=bug and https://bugs.cacert.org/file_download.php?file_id=453&type=bug. I did not check the .msi file.

L10N

2018-12-13 22:03

reporter   ~0005707

I found this overview on the wiki:
https://wiki.cacert.org/Roots/StateOverview

L10N

2018-12-13 22:59

reporter   ~0005708

No, Oatley is outdated. The current address is:
Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia

GuKKDevel

2018-12-14 11:39

updater   ~0005709

Changed the address of CAcert Inc. and changed the sha1-fingerprints presentation from 2-char plus colons to 4-chars plus space.

alkas

2018-12-14 12:30

reporter   ~0005710

The new version of CAcert root certificates (zipped) and Czech new versions of CAPs. Please have a look.

CAcert_Root_Certificates_X0F_X0E.zip (354,216 bytes)
cap_X0F_X0E.docx (56,714 bytes)
cap-blank_X0F_X0E.docx (56,816 bytes)

alkas

2018-12-14 12:47

reporter   ~0005711

PDF versions:

cap_X0F_X0E.pdf (677,261 bytes)
cap-blank_X0F_X0E.pdf (602,157 bytes)

L10N

2018-12-14 13:11

reporter   ~0005712

I tested CAcert_Root_Certificates_X0F_X0E.zip
- on Windows 10 Pro, version 1803: unzip, start, there was a warning with a button to abort, i clicked on more information to see another button to proceed anyay, what I did. The I uninstalled the root certs. It finished with an error message :"Error." and two buttons: Yes, No. I clicked on Yes, closed the installer.
I restarted the installer. As there were no more CAcert roots certs installed, a window asked me to accept the root distribution license. I did, installation was successfull.

- on Windows 7 Starter 6.1 version 7601: Start the installer, security warning, accept licencese, install process with an window telling me information about the cert beeing installed. clicked OK. installation was successfull

L10N

2018-12-14 14:39

reporter   ~0005713

Aleš wrote (by mail): "It’s better to install the roots as anybody with the Administrator’s rights, The Yes-No dialog then will not appear, I guess."

As I have no admin rights on my emplyers PC, I cannot re-test it this way.

Ted

2018-12-16 21:40

administrator   ~0005715

New changes are installed on the testserver: Corrected CAcert postal address and format of fingerprints in the CAP forms

bdmc

2019-01-18 21:13

developer   ~0005738

Just examined the test server, and the current version appears correct.

The certificate SHA-256 fingerprints on Page 3, and all four CAP forms, agree in format and content.

The certificate downloaded also appears correct, with the correct serial number and SHA256.

The four CAP forms have the correct mailing address.

alkas

2019-01-21 16:08

reporter   ~0005740

The Wiki pages /CapHTML and /CoapHTML contain both old signatures and CAcert's "classical post" address in Australia.

L10N

2019-01-21 22:16

reporter   ~0005741

The Wiki page /CapHTML is updated as follows:
- old Oatley postal address replaced by Murwillumbah address
- new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

The Wiki page /CoapHTML is updated as follows:
- very old Denistone East postal address replaced by Murwillumbah address
- new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

Finterprints added to both forms:
class 1: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
class 3: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0

Ted

2019-02-14 20:43

administrator   ~0005770

merged updated release branch into bug-1305

Ted

2019-02-14 21:23

administrator   ~0005771

Last edited: 2019-02-14 21:24

View 2 revisions

Karl-Heinz, can you add the SHA1-fingerprints to pages/index/3.php and set CAcert's correct postal address in
www/cap.html.php
www/capnew.php
www/coap.html.php
www/coapnew.php

Though I don't know exactly when these pages are used, we should not have documents with the outdated postal address on the main server.

The c(o)ap* files also miss the SHA1 fingerprint. I'd propose to add them while you are already at it. But that's less important at the moment, if problems (for example with formatting) should occur please just add a note here and concentrate on more important things.

bdmc

2019-03-08 01:24

developer   ~0005780

I have updated the address in all of the above four files.

However, they also appear to contain the SHA1 fingerprints already. Perhaps someone else did that.

Ted

2019-03-12 22:51

administrator   ~0005781

Changes are merged into test-1442 branch and installed on https://test.cacert.org

Ted

2019-03-17 22:28

administrator   ~0005782

Brian, in pages/index/3.php the sha1 checksum is still missing. Can you add it?

bdmc

2019-03-19 18:23

developer   ~0005783

Done and checked in.

Ted

2019-03-31 13:31

administrator   ~0005784

Last edited: 2019-03-31 13:37

View 2 revisions

Brian pointed me to the GPG signed message on the key download page (pages/index/3.php), which still uses the old fingerprints.

Since at the moment I don't know who may create a new message of this kind (access to the signer machine would probably be needed!) I asked Brian to remove the message from the page.
If we find a way to create a GPG message with the new fingerprints (now or later) it would make sense to add it once more.

The second GPG message is, more or less, a "self signature of the GPG key". While IMHO this is not really useful, does not hurt, so I'd keep it.

bdmc

2019-03-31 14:33

developer   ~0005785

In one of my versions of my "fix," I had removed that heading, but in the final one I had put it back.

It is now moved to within the "commented out section," and a comment has been added, trying to explain what we did.

All checked in.

Ted

2019-03-31 15:07

administrator   ~0005786

Great! I'll have a look at it during the next hours...

Ted

2019-03-31 18:37

administrator   ~0005787

Reviewed commit da4c71a246b80f399f3a12823ac03fa8c40f42bb versus current release commit 8ab79aad9fd3685129060854340dccd5dbf01a1d

Though some formatting problems remain, especially in www/capnew.php the review is PASSED

wytze

2019-04-01 12:46

developer   ~0005788

With respect to https://bugs.cacert.org/view.php?id=1305#c5784:

The procedure for generating these GPG signatures is documented in https://bugs.cacert.org/view.php?id=1254

The script mentioned there was left on the signer after its execution on Nov 11, 2014, and could be run again after installing re-signed certs on the signer. Obviously this does require visit to the signer machine by two critical system administrators and one access engineer.

dastrath

2019-04-05 20:39

administrator   ~0005790

There are some format issues (especiall in www/capnew.php), but as this CAP-form is (normally) not in use, the review is PASSED.

PGP/GnuPG-signatures are currently commented out, but can be added at a later time (as this requires a visit of the signer, can be done together with another bug).

Ted

2019-04-07 12:43

administrator   ~0005792

Sent patch request to critical team, but without CAcert_Root_Certificates_X0F_X0E.msi, since I don't know how I should review that...

wytze

2019-04-10 10:19

developer   ~0005793

The patches have been installed on the production server on April 10, 2019, including the re-signed root certifcates.
See also the log message sent to the cacert-systemlog mailing list here: https://lists.cacert.org/wws/arc/cacert-systemlog/2019-04/msg00002.html

wytze

2019-04-10 10:21

developer   ~0005794

See note https://bugs.cacert.org/view.php?id=1305#c5793

wytze

2019-04-10 10:30

developer   ~0005795

One thing to note: since the patch has added the re-signed root certificates with new names to the system and left the old root certificates in place under their original names, it is still possible that users and applications retrieve the old root certificates. And observing the Apache2 access log, this is indeed the case -- clearly there are some applications which have
these names/paths built-in. They will not benefit from this patch.
To tackle this problem, one could consider to change the old certificates to copies of their new counterparts, so users and applications will retrieve the new version irrespective of the name/path used.

Ted

2019-04-10 18:54

administrator   ~0005796

According to Wytze's note I re-open this case to create a follup-up patch.

Ted

2019-04-10 19:03

administrator   ~0005797

Last edited: 2019-04-10 19:04

View 2 revisions

Probably the easiest solution will be to rename the old certificate files to something else (like root_X00.* and class3_XA418A.*) and copy the new files to the old names also. So in the future we'll use root.* and class3.* for the "current" certificates, and in addition make the whole history of certificates available using the names with attached serial numbers.

bdmc

2019-04-11 00:05

developer   ~0005798

As discussed above, I have renamed the old certificate files to include their Serial Numbers in the file name.

I have also copied the current, latest, certificate files to "root.crt" and "class3.crt" to allow for systems that do not properly follow the URI.

bdmc

2019-04-11 00:06

developer   ~0005799

Changed and checked in as per your notes.

alkas

2019-04-11 17:27

reporter   ~0005800

I have CAcert to issue a new certificate yesterday evening. I have received the following E-mail then, containing two fingerprints of CAcert root(s?).
The first fingerprint belongs to unknown certificate, and the second fingerprint belongs to the old Class 1 root.
I guess that should be corrected.
----
Hi Aleš,

You can collect your certificate for alkas@volny.cz by going to the following location:

https://www.cacert.org/account.php?id=6&cert=645849

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!

wytze

2019-04-12 08:57

developer   ~0005801

With respect to https://bugs.cacert.org/view.php?id=1305#c5800 :
- the first fingerprint shown is the MD5 fingerprint of the "old" root certificate
- the second fingerprint shown is the SHA1 fingerprint of the "old" root certificate
- clearly these messages should be replaced by:
  SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
  SHA1 fingerprint: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
- the affected source file is CommModule/client.pl

bdmc

2019-04-12 16:16

developer   ~0005802

client.pl has been corrected and checked in.

Ted

2019-04-15 19:52

administrator   ~0005803

Last edited: 2019-04-15 19:53

View 2 revisions

A grep for the old fingerprints returns more hits in files www/ttp.php, pages/index/3.php and pages/index/16.php. 3.php and 16.php include the fingerprint also in a PGP signed message, which should be commented out completely...

bdmc

2019-04-26 14:08

developer   ~0005804

There is a reference in 16.php to 17.php, which is intended to install the Microsoft Certificate.

Should this be removed?

bdmc

2019-04-26 14:25

developer   ~0005805

Files ttp.php and 16.php have been corrected and checked in.

The reference found in 3.php is inside the commented out message about the GPG signature.

Ted

2019-05-14 20:17

administrator   ~0005809

The fixes of bug-1305 branch have been merged into the (old) testserver. Please try and check if the reported problems of wytze and alkas (and myself) are fixed, and report here!

alkas

2019-05-25 21:03

reporter   ~0005810

There are the old fingerprints in letters as this:
--------------------------------------
Hi <user>,

You can collect your certificate for <user-email> by going to the following location:

https://www.cacert.org/account.php?id=15&cert=797035

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!

L10N

2019-05-26 18:18

reporter   ~0005811

Where is the text of this e-mail stored?

GuKKDevel

2019-05-27 08:29

updater   ~0005812

Message comes from -> CommModule/client.pl

GuKKDevel

2019-05-27 08:55

updater   ~0005813

should be correct see https://github.com/CAcertOrg/cacert-devel/blob/bug-1305/CommModule/client.pl

bdmc

2019-05-31 04:40

developer   ~0005814

client.pl should have been corrected in the April 12th check-in.

Ted

2019-07-04 23:05

administrator   ~0005815

After some hassle, the (old) testserver is now running the modified client.pl

I created one certificate, and the mail (on mgr.test.cacert.org:14843) contained the new checksums. It looked acceptable, though not really nice...

Any other test reports?

Issue History

Date Modified Username Field Change
2014-09-15 14:07 wytze New Issue
2014-09-15 14:07 wytze File Added: crl-redirect-issue.log
2014-09-15 14:23 wytze Steps to Reproduce Updated View Revisions
2014-09-15 14:23 wytze Steps to Reproduce Updated View Revisions
2014-10-03 07:43 wytze Description Updated View Revisions
2014-10-03 07:44 wytze Description Updated View Revisions
2014-10-04 09:58 Ruel Print Tag Attached: certificates
2014-10-04 09:58 Ruel Print File Added: Global Sign.p7b
2015-11-25 20:47 INOPIAE Relationship added related to 0001245
2015-11-25 20:47 INOPIAE Relationship deleted related to 0001245
2015-11-25 20:47 INOPIAE Relationship added related to 0001254
2015-11-25 23:53 felixd Note Added: 0005486
2015-12-14 21:58 felixd Note Added: 0005492
2016-02-05 09:50 cilap Note Added: 0005495
2016-03-14 17:00 reinhardm Note Added: 0005512
2017-04-04 16:12 bjobjo Note Added: 0005542
2017-04-04 16:12 bjobjo Priority normal => urgent
2017-04-04 16:12 bjobjo Severity minor => major
2017-04-05 07:54 wytze Assigned To => dastrath
2018-04-18 21:37 dops Note Added: 0005586
2018-10-31 13:03 GuKKDevel File Added: diff-release-bug-1305
2018-10-31 13:03 GuKKDevel Note Added: 0005628
2018-11-01 05:13 GuKKDevel Status new => needs review & testing
2018-11-01 22:53 Ted Note Added: 0005638
2018-11-07 10:23 GuKKDevel Relationship added related to 0001447
2018-11-07 10:23 GuKKDevel Relationship replaced child of 0001447
2018-11-08 08:58 Ted Note Added: 0005660
2018-11-12 10:06 Ted Note Added: 0005663
2018-11-12 22:04 Ted Note Added: 0005665
2018-11-13 22:54 Ted Note Added: 0005666
2018-11-15 19:21 alkas Note Added: 0005673
2018-11-15 20:23 Ted Status needs review & testing => needs review
2018-11-15 20:23 Ted Note Added: 0005675
2018-11-15 22:14 Ted Assigned To dastrath => GuKKDevel
2018-11-15 22:14 Ted Status needs review => needs work
2018-11-15 22:14 Ted Note Added: 0005677
2018-11-15 22:14 Ted Note Edited: 0005677 View Revisions
2018-11-16 10:37 GuKKDevel Relationship added related to 0001194
2018-11-16 15:53 GuKKDevel File Added: diff
2018-11-16 15:53 GuKKDevel File Added: CAcert_Root_Certificates_X0F_X0E.msi
2018-11-16 15:53 GuKKDevel Note Added: 0005680
2018-11-16 15:54 GuKKDevel Status needs work => needs review & testing
2018-11-18 00:43 alkas File Added: CAcert_chain_X0F_X0E.pem
2018-11-18 00:43 alkas File Added: cacert-bundle_X0F_X0E.crt
2018-11-18 00:43 alkas Note Added: 0005683
2018-11-19 22:54 Ted Note Added: 0005686
2018-11-23 20:59 Ted Note Added: 0005687
2018-11-24 08:22 wytze Note Added: 0005688
2018-11-28 11:21 Ted Note Added: 0005690
2018-11-30 13:16 GuKKDevel Note Added: 0005691
2018-12-02 08:10 wytze Note Added: 0005692
2018-12-02 10:55 GuKKDevel Note View State: 0005691: private
2018-12-02 10:55 GuKKDevel Note View State: 0005691: public
2018-12-03 20:25 Ted Note Added: 0005693
2018-12-03 20:36 Ted Note Added: 0005694
2018-12-03 20:40 jandd Note Added: 0005695
2018-12-03 21:36 alkas File Added: Poznámka 2018-12-03 223514.jpg
2018-12-03 21:36 alkas Note Added: 0005698
2018-12-07 12:27 GuKKDevel Note Added: 0005699
2018-12-07 22:48 Ted Note Added: 0005700
2018-12-10 13:13 GuKKDevel Note Added: 0005701
2018-12-12 19:38 Ted Note Added: 0005702
2018-12-13 15:28 bdmc Note Added: 0005703
2018-12-13 15:29 bdmc Note Added: 0005704
2018-12-13 15:31 bdmc Note Added: 0005705
2018-12-13 21:57 kronenpj Note Added: 0005706
2018-12-13 22:03 L10N Note Added: 0005707
2018-12-13 22:59 L10N Note Added: 0005708
2018-12-14 11:39 GuKKDevel Note Added: 0005709
2018-12-14 12:30 alkas File Added: CAcert_Root_Certificates_X0F_X0E.zip
2018-12-14 12:30 alkas File Added: cap_X0F_X0E.docx
2018-12-14 12:30 alkas File Added: cap-blank_X0F_X0E.docx
2018-12-14 12:30 alkas Note Added: 0005710
2018-12-14 12:47 alkas File Added: cap_X0F_X0E.pdf
2018-12-14 12:47 alkas File Added: cap-blank_X0F_X0E.pdf
2018-12-14 12:47 alkas Note Added: 0005711
2018-12-14 13:11 L10N Note Added: 0005712
2018-12-14 14:39 L10N Note Added: 0005713
2018-12-16 21:40 Ted Note Added: 0005715
2019-01-18 21:13 bdmc Note Added: 0005738
2019-01-21 16:08 alkas Note Added: 0005740
2019-01-21 22:16 L10N Note Added: 0005741
2019-02-14 20:43 Ted Note Added: 0005770
2019-02-14 20:43 Ted Assigned To GuKKDevel => Ted
2019-02-14 20:57 Ted Assigned To Ted => GuKKDevel
2019-02-14 21:23 Ted Note Added: 0005771
2019-02-14 21:24 Ted Note Edited: 0005771 View Revisions
2019-02-28 10:02 GuKKDevel Assigned To GuKKDevel => wytze
2019-02-28 10:03 GuKKDevel Assigned To wytze => bdmc
2019-03-08 01:24 bdmc Note Added: 0005780
2019-03-12 22:51 Ted Note Added: 0005781
2019-03-17 22:28 Ted Note Added: 0005782
2019-03-19 18:23 bdmc Note Added: 0005783
2019-03-31 13:31 Ted Note Added: 0005784
2019-03-31 13:37 Ted Note Edited: 0005784 View Revisions
2019-03-31 14:33 bdmc Note Added: 0005785
2019-03-31 15:07 Ted Note Added: 0005786
2019-03-31 18:37 Ted Assigned To bdmc => dastrath
2019-03-31 18:37 Ted Status needs review & testing => needs review
2019-03-31 18:37 Ted Note Added: 0005787
2019-03-31 18:38 Ted Reviewed by => Ted
2019-04-01 12:46 wytze Note Added: 0005788
2019-04-05 20:39 dastrath Note Added: 0005790
2019-04-05 20:41 dastrath Status needs review => ready to deploy
2019-04-05 20:41 dastrath Reviewed by Ted => dastrath, Ted
2019-04-05 20:55 Ted Assigned To dastrath => Ted
2019-04-07 12:43 Ted Note Added: 0005792
2019-04-10 10:19 wytze Note Added: 0005793
2019-04-10 10:21 wytze Status ready to deploy => solved?
2019-04-10 10:21 wytze Resolution open => fixed
2019-04-10 10:21 wytze Note Added: 0005794
2019-04-10 10:30 wytze Note Added: 0005795
2019-04-10 18:54 Ted Status solved? => needs work
2019-04-10 18:54 Ted Note Added: 0005796
2019-04-10 19:03 Ted Note Added: 0005797
2019-04-10 19:04 Ted Note Edited: 0005797 View Revisions
2019-04-11 00:05 bdmc Note Added: 0005798
2019-04-11 00:06 bdmc Status needs work => needs review & testing
2019-04-11 00:06 bdmc Note Added: 0005799
2019-04-11 17:27 alkas Note Added: 0005800
2019-04-12 08:57 wytze Note Added: 0005801
2019-04-12 16:16 bdmc Note Added: 0005802
2019-04-15 19:52 Ted Note Added: 0005803
2019-04-15 19:53 Ted Assigned To Ted => bdmc
2019-04-15 19:53 Ted Note Edited: 0005803 View Revisions
2019-04-26 14:08 bdmc Note Added: 0005804
2019-04-26 14:25 bdmc Note Added: 0005805
2019-04-26 14:25 bdmc Assigned To bdmc => Ted
2019-05-14 20:17 Ted Note Added: 0005809
2019-05-25 21:03 alkas Note Added: 0005810
2019-05-26 18:18 L10N Note Added: 0005811
2019-05-27 08:29 GuKKDevel Note Added: 0005812
2019-05-27 08:55 GuKKDevel Note Added: 0005813
2019-05-31 04:40 bdmc Note Added: 0005814
2019-07-04 23:05 Ted Note Added: 0005815