= Introduction =

Certificates for the cacert.org domain are issued by the Organisation Admins below as CAcert Inc. itself is organisationally assured.

= Details =
The details of the organisation account:

|| Organisation name: || CAcert Inc. ||
|| contact email: || support@cacert.org ||
|| city: || Sydney ||
|| state: || NSW ||
|| country: || AU ||
|| comments: || ||

== Domains ==
 * cacert.org
 * cacert.com
 * cacert.net

== Organisation Admins ==
 * [[MichaelTänzer|Michael Tänzer]]
 * [[JanDittberner|Jan Dittberner]]
Please contact them for renewal or revocation of any of the certificates listed [[SystemAdministration/CertificateList]].

= Procedure =

== Client Certificates ==

If required for an email address that you control (e.g email address) you can issue this yourself (assuming you are assured or an assurer). If your stuck ask a certificate manager.

== Server Certificates ==

These require a CSR to be sent to a certificate manager (see above).

 1. Create a PKCS#10 format (PEM encoded) CSR (certificate signing request).

   ''Quick CSR generation howto'':

   a. with a recent openssl version:

      {{{
      $ openssl req -new -nodes -newkey rsa:4096 -keyout private.key.pem -out server.csr.pem \
        -subj '/C=AU/ST=NSW/O=CAcert Inc./CN=domainname.cacert.org' \
        -addext "subjectAltName=DNS:domainname.cacert.org,DNS:alternative.cacert.org"
      }}}

   a. with an ancient openssl version that does not support the {{{-addext}}} option:

      {{{
      $ openssl req -new -nodes -new -newkey rsa:4096 -keyout private_key -out server.csr \
        -subj '/C=AU/ST=NSW/O=CAcert Inc./CN=domainname.cacert.org'
      }}}

   a. email addresses can't be included in CAcert server certificates
   a. if you want to add Subject alternative names with older openssl versions you need to
      use a custom openssl configuration file
   a. you may use other tools like the JDK keytool, certtool from GnuTLS or certutil from Mozilla's libnss3

 1. Authorization - you must be listed as an administrator for the system you are issuing a certificate for (https://selfservice.cacert.org/staff)
 1. Authentication - please issue the request from your @cacert.org email address and have it S/MIME (or less preferably OpenPGP) signed when you send the CSR to the
 1. Document the certificate in Infradocs (https://git.cacert.org/cacert-infradocs.git/), the certificate list is rendered as https://infradocs.cacert.org/certlist.html
Certificate Manager.

----
CategoryProcedures