#language en
## 20240528 Sven
----
 [[HowTo/CCforNewbiesMac/CZ|Ĩesky]] | '''english'''
----

= CAcert Client Certificates for MacOS =
 . ''by Sven''

== Create ==

Create a key/request pair. When asked, protect the key with a key passphrase and enter the <samp>{EMAIL}</samp> address. All other fields may remain empty.

{{{
 . name="{NAME}"     # first and last name
 . email="{EMAIL}"
 . openssl req -newkey rsa:2048 -keyout $email.key -out $email.csr
}}}

Securely backup the '''{EMAIL}.key''' and the corresponding key passphrase. You will need both to renew the client certificate.

Log in at [CAcert](https://cacert.org) and select "Client Certificates -> New". Select the same '''{EMAIL}''' address and include the '''{NAME}'''. Paste '''{EMAIL}.csr''' in the CSR textarea. Accept the CCA and submit.

=== Backup the certificate in PKCS12 format ===
Download the certificate in PEM format to '''{EMAIL}.crt''', then create the PKCS12 ('''{EMAIL}.pfx''') file. You'll have to unlock the key with the key passphrase set above. Furthermore, protect the PKCS12 file with an export password.

{{{
 . openssl pkcs12 -export -inkey $email.key -in $email.crt -name "$name" -out $email.pfx
}}}

Open Firefox and access [privacy settings](about:preferences#privacy). Scroll down to "certificates", click "view certificates", click "import" and import '''{EMAIL}.pfx'''.

Securely backup the '''{EMAIL}.pfx''' and the corresponding export password.

== Renew ==
To renew a certificate, you need to have the corresponding private key saved on the computer you are renewing from.
 . Log in at [CAcert](https://cacert.org) and select "Client Certificates -> View". Select the client certificate to renew and click "Renew".
 . When the renewal is processed, hit "click here to install your certificate". From this point forward, proceed as mentioned above in the Create section - Backup the certificate in PKCS12 format.

----

CategoryTutorials