#language en ## 20221128 Sven ---- [[HowTo/CCforNewbiesMac/CZ|Ĩesky]] | '''english''' ---- = CAcert Client Certificates for MacOS = . ''by Sven'' == Create == Create a key/request pair. When asked, protect the key with a key passphrase and enter the {EMAIL} address. All other fields may remain empty. {{{ . name="{NAME}" # first and last name . email="{EMAIL}" . openssl req -newkey rsa:2048 -keyout $email.key -out $email.csr }}} Securely backup the '''{EMAIL}.key''' and the corresponding key passphrase. You will need both to renew the client certificate. Log in at [CAcert](https://cacert.org) and select "Client Certificates -> New". Select the same '''{EMAIL}''' address and include the '''{NAME}'''. Check "show advanced options" and paste '''{EMAIL}.csr''' in the CSR textarea. Accept the CCA and submit. === Backup the certificate in PKCS12 format === Download the certificate in PEM format to '''{EMAIL}.crt''', then create the PKCS12 ('''{EMAIL}.pfx''') file. You'll have to unlock the key with the key passphrase set above. Furthermore, protect the PKCS12 file with an export password. {{{ . openssl pkcs12 -export -inkey $email.key -in $email.crt -name "$name" -out $email.pfx }}} Open Firefox and access [privacy settings](about:preferences#privacy). Scroll down to "certificates", click "view certificates", click "import" and import '''{EMAIL}.pfx'''. Securely backup the '''{EMAIL}.pfx''' and the corresponding export password. == Renew == To renew a certificate, you need to have the corresponding private key saved on the computer you are renewing from. . Log in at [CAcert](https://cacert.org) and select "Client Certificates -> View". Select the client certificate to renew and click "Renew". . When the renewal is processed, hit "click here to install your certificate". From this point forward, proceed as mentioned above in the Create section - Backup the certificate in PKCS12 format. ---- CategoryTutorials