Why is CAcert not trusted by my browser?

In case of cacert.org, they are presenting a self-signed certificate and that's why your browser complains. There is no trust chain that leads from the certificate to a root CA that you trust.

If you were using a Linux distribution that comes with their certificate pre-installed, you wouldn't see a warning. It would be inferred that by using such a system you trust the community.

In case of other OSs you put trust in public PKI that is supported (and provided in the form of a root certificate store embedded in their products) by Microsoft, Apple, Google, or Mozilla.

Cacert.org is outside of this infrastructure and that's why you see a warning.


Why?

Their "business" decision. They are free to do whatever they want when they provide web services. They could ask users to install their root CA, they could invest money and get a signed certificate for their website, or not invest and get a free letsencrypt certificate*.

They chose the first model, seemingly because that fits their purpose and "eat your own dogfood" idea.


What you can do?

It depends on what you want to do. You can access the site with http://cacert.org/ and read.

If you want to access it with HTTPS, you can display the provided certificate, examine it yourself. Then take your own decision to trust it.

The tricky part is that it indeed could be a MitM attack, so you should compare the fingerprint signature of the certificate you got with a signature you obtained through another trusted connection. They publish the fingerprints here but until you trust real them, you can't really trust the site belongs to real then. Catch 21.

You could either confirm the signature with another source you trust (friend, or just search google for the fingerprint you got and evaluate, if it's all over reliable places, it has chances to be valid) or use Debian that comes with their root certificate pre-installed to access the site over HTTPS.

You can then follow the link to instructions how to install their root CA, install and trust the certificates they signed from now on (including their own one).


* Technically they could use a certificate recognized by public infrastructure for their site and avoid the problem of initial trust, but maybe they decided that making you ask such a question is better for the spread of knowledge...


CAcert issued certificates are not self-signed. Their root certificate is self-signed, like all other CA's have.

Why CAcert root isn't included in any of the major browsers (making your Chrome display the not secure) is a completely another story. They did apply for that, but ultimately were never able to make the requested changes in their policies/procedures and prove the changes to CA/Browser Forum.

Wikipedia page https://en.wikipedia.org/wiki/CAcert.org#Inclusion_status states:

CAcert withdrew its request for inclusion at the end of April 2007.

So, now they're just fading out.