Attention - 20230515
From 20230515, no browser can create the right Certificate Signing Request (CSR). Therefore, the solution using the browsers Basilisk, Palemoon, or SeaMonkey may no longer be used. A new solution is being prepared. Please use CAcert web app, or create CSR using utilities OpenSSL, XCA, or Kleopatra and submit it in Base64 format in the text field that appears after checking the "Show advanced options" field on the "New Client Certificate" page.
Attention - 20210311
Today, 20210311 after upgrades, I have found that only the Seamonkey web browser is able to submit a correct CSR (certificate signing request) to a certificate issuing web. The OS used was Windows 10 last Insider version from 20210123. So it seems that the Palemoon and Basilisk browsers are unusable for getting certificates, so as the mainstream browsers.
20210316 - In Palemoon, it seems like a common bug; Palemoon & Basilisk also report an unknown error importing P12 files. A bug report & research was initiated.
20210318 - The Basilisk browser is repaired! After update to version 2021.03.17, both .p12 import and <keygen> are functional. You can also use OCSP validation: "Query OCSP responder servers to confirm the current validity of certificates".
20210330 - Palemoon has been repaired (ver. 29.1.1)! Thus, all three browsers using the Keygen tag (Basilisk, Palemoon, Seamonkey) work since today.
I cannot create a certificate
I didn't receive a valid Certificate Request, hit the back button and try again.
You try to create a certificate and you get the error message: "I didn't receive a valid Certificate Request, hit the back button and try again."
Your Email address is not checked
Suppose you wish to get a client certificate. You have to check your Email address so that the Certificate Signing Request (CSR) could be successfully generated and sent to CAcert webpage.
If you miss it, the CSR will be invalid, because the "Common Name" (CN) = <Email address> will be empty.
The <keygen> tag in the majority of browsers is no more supported
None web browser (as far as we know) supports the <Keygen> tag nowadays (from about 20230515).
In the last months (2017), several browser removed the <keygen> html tag that is used for the certificate creation. Please use a browser still supporting the <keygen> html tag.
If you can see this CAcert page with the "Generate key pair within browser" button, but the value of the keysize is missing, or the keysize drop-down menu is empty, the certificate generating will surely fail.
Chrome for desktop until release 56 warning: as observed, Chrome for Windows did not store the private key!
- Chrome for Android until release 56
Android WebView until release 56
- Opera until release 43
- Opera for Android until release 43
Safari should work version 5.7.1 for Windows fails
Mozilla Firefox releases 57 & 58 works OK, only beware, it has own certificate repository!
We are sorry about this. Volunteers from our community are already working on this topic. If you can them give a hand, your help is welcome. See HelpingCAcert.
CAcert is operated by a community of volunteers. Please help so that CAcert can continue to issue free certificates! For example translate help pages or code. Or donate. Or spread CAcert in your country. Or improve translations.
The solution with Firefox
The certificate generation still works today with the version 6.0.3 (64 bit).
Should a newer version of Firefox suddenly stop generating certificates, I've always put the last portable Firefox browser on hold for this period, which I then no longer update automatically.
You can find Firefox old versions here: https://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./
Warning: Using old versions represents a security risk.
The solution with Palemoon, Basilisk, or Seamonkey
Since about 20230515: No web browser (Basilisk since ver. 2023.05.17/64-bit, SeaMonkey since ver. 2.53.15/64-bit, Palemoon since ver. 32.1.0/64-bit) creates appropriate Certificate Signing Request (CSR). Thus, the solution described in this part can no more be used.
The last time I successfully generated a certificate was in July 2019 with the then current Firefox. In the current version, which you probably also have, as well as in Chrome, the certificate generation doesn't work anymore, because the current browsers obviously don't support the <keygen>-HTML element used so far anymore.
I helped myself to install the Palemoon browser (a well maintained fork of the old Firefox) and did the certificate generation with it.
In my opinion, this is the easiest way to do this without playing around with OpenSSL and manually generating a key pair and a CSR. If you know how to do this, you can do it as well, you would have to open the advanced options during creation and insert the CSR there.
Palemoon, Basilisk, and Seamonkey are Firefox clones; thus each has its own certificate store, but it doesn't copy certificates from the Firefox store automatically!
To open their Certificate managers:
- Palemoon: browser window - blue box at the top left - Preferences - Preferences - Advanced - View Certificates tab in the Preferences dialog box.
- Basilisk: Open menu with the upper right "hamburger" button - Preferences - Advanced - View Certificates tab in the Preferences dialog box.
- Seamonkey: browser window - from the Edit menu - Preferences - new dialog opens - Privacy and Security - Certificates - open Manage Certificates window.
The certificate window is very similar to that of Firefox.
First you need to install CAcert's roots into the Basilisk's, Palemoon's, or Seamonkey's certificate store. The shortest option is to go directly to http://www.cacert.org/index.php?id=3 (NOT https!) with Basilisk, Palemoon, or Seamonkey. First select a Class 1 PKI key, PEM format, check trust in all 3 checkboxes, then select a Class 3 PKI key, PEM format, no trust is needed (will be inherited) - and you have given trust to the CAcert certification authority: your further communications with CAcert sites will be performed in the https protocol.
If you want to sign in with your existing certificate, you must also import it from the .p12 or .pfx file in Certificate Manager - if you do not have it, you will have to log in with your username and password. After logging in, you can have the Basilisk, Palemoon, or Seamonkey browser generate and apply for a new certificate request.
The alternatives with CSR are described in the Wiki, section "Create Certificates" https://wiki.cacert.org/TutorialsHowto
The background can be deepened in the CAcert bugs http://bugs.cacert.org/view.php?id=1417
(answers by ST, GT, translation by DL)