How to login to your CAcert account using client certificate

You can login with a client certificate from the CAcert homepage https://www.cacert.org, the menu on the right side: My Account -> Cert login.

Cert login in menu

Login with a client certificate is very comfortable. However, its preparation needs to comply some specific conditions and rules.

Prerequisites

You have installed CAcert roots into your computer's operating system, and also into your Firefox browser, if you use it, and the Thunderbird email client, if you use it. You can find the descriptions, how to do this, here (operating systems), here (Firefox), and here (Thunderbird). You can also verify the CAcert roots' fingerprints via DNSSEC. The tutorial for that can be found here.

Conditions and Rules

If you have no client certificate yet, you have to login using your username and password (My Account -> Login). Then you let go your client certificate. You can find the tutorial for client certificates creating here and here, and related descriptions here and here.

  1. Your client certificate, issued by CAcert, must be installed in your computer's operating system. If you use the Firefox browser, which has its own certificate repository, you have to install your client certificate directly into the Firefox browser. As it is your personal client certificate, so you must also have created, and saved in your computer, the related private key.
  2. If you are using the access from multiple computers, you have to make a backup copy of your client certificate and the corresponding private key, and install these from that backup onto every of computers concerned; or you have to create a client certificate with the related private key specific for each computer concerned.

  3. You have to check "Enable certificate login with this certificate" in the Certificate Signing Request (CSR).
    Enable certificate login

Login procedure

  1. When you follow the link "My Account -> Cert login", the browser figures out, whether you have a client certificate issued by the CAcert CA with the possibility to login with it. If the browser finds more than 1 such certificate, it displays dialog similar to the following. Some dialog windows of various browsers follow, from the left: Internet Explorer 11, Edge 37.14316, Chromium 49.0, Firefox 46.0a2, and Opera 36.0):
    Certificate choice - IE Certificate choice - Edge Certificate choice - Chromium Certificate choice - Firefox Certificate choice - Opera

  2. You can verify the properties of the selected certificate on the "Click here to view..." link (Internet Explorer 11). A new dialog window appears. Another browsers (Opera, Chromium,...) display similar dialogs, only Firefox immediately shows the properties of the certificate selected in the "Details of selected certificate" box of the same dialog. Note the small icon of a key with the legend "You have a private key..." - you need just such a personal client certificate.
    Certificate properties

  3. New Microsoft browsers and operating systems (pictures are taken from Windows 10), i.e. Internet Explorer 11 and Edge, may display one more dialog requesting your permission for accessing your private key. You have to permit this to login successfully, as the browser can then decrypt web's answers.
    Request for permission for accessing your private key

  4. After you have confirmed your selection of a certificate, an error message may appear (on Windows 8 and IE11) saying that the page cannot be displayed. As a workaround, stop using the TLS protocol version 1.2 in the browser.
    Error using TLS 1.2

If all conditions are met, the CAcert web will log you to your account. Next logins will need the certificate selection only.

FAQ/LoginWithCert (last edited 2016-04-13 07:21:08 by AlesKastner)