Ĩesky | english
CAcert Client Certificates for MacOS
by Sven
Create
Create a key/request pair. When asked, protect the key with a key passphrase and enter the <samp>{EMAIL}</samp> address. All other fields may remain empty.
. name="{NAME}" # first and last name
. email="{EMAIL}"
. openssl req -newkey rsa:2048 -keyout $email.key -out $email.csrSecurely backup the {EMAIL}.key and the corresponding key passphrase. You will need both to renew the client certificate.
Log in at [CAcert](https://cacert.org) and select "Client Certificates -> New". Select the same {EMAIL} address and include the {NAME}. Check "show advanced options" and paste {EMAIL}.csr in the CSR textarea. Accept the CCA and submit.
Backup the certificate in PKCS12 format
Download the certificate in PEM format to {EMAIL}.crt, then create the PKCS12 ({EMAIL}.pfx) file. You'll have to unlock the key with the key passphrase set above. Furthermore, protect the PKCS12 file with an export password.
. openssl pkcs12 -export -inkey $email.key -in $email.crt -name "$name" -out $email.pfx
Open Firefox and access [privacy settings](about:preferences#privacy). Scroll down to "certificates", click "view certificates", click "import" and import {EMAIL}.pfx.
Securely backup the {EMAIL}.pfx and the corresponding export password.
Renew
To renew a certificate, you need to have the corresponding private key saved on the computer you are renewing from.
Log in at [CAcert](https://cacert.org) and select "Client Certificates -> View". Select the client certificate to renew and click "Renew".
- When the renewal is processed, hit "click here to install your certificate". From this point forward, proceed as mentioned above in the Create section - Backup the certificate in PKCS12 format.