English | Deutsch | ...
Conditions and Rules for issued certificates - 202506
Expiration times
On April 14, 2025, the CA/Browser Forum passed a ballot to reduce SSL/TLS certificates to 47 day maximum term by March 15, 2029. (https://en.wikipedia.org/wiki/Certificate_authority#cite_note-44)
Certification type |
Expiration time proposed in present |
Expiration time in the future |
Comment |
Root CA |
20 years |
max. 20 years |
may be reduced down to 5 years |
Subordinate CAs: Person, Client, Server |
5 years |
max. 5 years |
may be reduced down to 2 years |
User's (0-49 APs): Person, Client, Server |
6 months |
200 days (after 20260315), 100 days (after 20270315), 47 days (after 20290315) |
Measure against the Quantum-computer breaking |
User's (50+ APs): Person, Client, Server |
398 days |
200 days (after 20260315), 100 days (after 20270315), 47 days (after 20290315) |
Measure against the Quantum-computer breaking |
The certificate renewal is deprecated
Users are strongly encouraged NOT to renew expired certificates, thus to prefer issuing a new CSR with a new key pair for every certificate they need renew.
This is extremely important for server certificates.
CSR Minimum requirements
General
These rules are valid for Certificate Signing Requests (CSRs), which are generated by an utility, as OpenSSL, Kleopatra, or XCA. If an user uses the CAcert Web application, the CSR is generated properly.
Key pair: a newly generated pair consisting of a private key and public key. Users must keep their private keys safely.
Only the public key is a part of CSR.
- more...?
Person
The user can select the following items on the certificate generation page.
The Email address of the user <RFC5322 in 3.4.1>. More Email addresses may be entered as Subject Alternate Names (SANs).
The user's name following <RFC5322 in 3.4>.
- The ability to sign documents or software with the certificate issued.
- The Single Sign-On (SSO) code: a hash of the random number, created with SHA1 or following SHA versions
- The ability to login to the user's account at CAcert.
- The hash algorithm used at certificate signing (issuing). Nowadays SHA-256, SHA-384, or SHA-512 are available.
Client
- The Internet FQDN address of the client: host name of the client computer
Server
- The Internet FQDN address of the server: host name of the server computer
Some cryptographic algorithms resist against Quantum-computer break
The article https://freemindtronic.com/quantum-computing-threats-rsa-aes/ states:
- Key takeaways:
RSA-2048 & AES-256 remain safe against quantum attacks through at least 2035.
- Grover’s algorithm reduces AES-256 strength to 2¹²⁸ operations—still infeasible.
- Shor’s algorithm would require ~20 million stable qubits to break RSA-2048.
- HQC draft selected in March 2025, final standard expected by 2027.
- Segmented key encryption by Jacques Gascuel offers immediate post-quantum defense.
Reference to the SHA1 hash algorithm
The SHA1 algorithm will be probably replaced by a more sofisticated successor in the future.
More
...?