CAcert Client Certificate – Step by Step

By Stefan Thode

This document instructs to request a certificate and prepare it to get a PKCS#12 file. In this document I used the CAcert test system. The usage is similar to the production system.

Prerequisites

Imported and trusted “CAcert Public Root Certificate” in the Web-Browser. Installed certificate manager XCA http://sourceforge.net/projects/xca/ Activated account at https://secure.cacert.org

Preparation

Preface

Start XCA.

At the “File” menu use “New DataBase” to create a certificate database and save it to a file. Don’t lose your password to the new database! Or open an existing database from your filesystem.

The database

Go into tab “Certificates”.

Roots import 1

Use “Import” to allow XCA to recognize certificates of CAcert.

Roots import 2

Import the “CAcert Public Root Certificates” “root” and “class3” in this order.

Roots import 3 - trust

Trust the imported “CAcert Public Root Certificates” in the Context Menu with “Trust”.

Private Key

Private key 1

Go into tabs “Private Keys”.

Private key 2

Use “New Key” for a new Private Key.

Private key 3

Choose a name for the new key with e.g. the intended purpose included. This name is for your reference only. Use a speaking name of the Key with the planned purpose, that you can identify the Key for reuse of this purpose. Furthermore you need to select the type and strength (size) of the key that should be generated. Currently RSA with 4096 bit is fine.

Private key 4

The new Private Key is ready and…

Private key 5

…appears in your list of private Keys.

Certificate Signing Request – CSR

Certificate Signing Request 1

For the next step go into tab “Certificate signing requests”.

Certificate Signing Request 2

Use “New Request” to create a CSR.

Certificate Signing Request 3

Select a certificate template first and apply it, then choose the signature algorithm.

Certificate Signing Request 4

Go into tab “Subject”.

Certificate Signing Request 5

Select the Private Key to use, Insert the „Internal Name“ and the „emailAddress“.

In the bottom of the dialog you can choose to select one of the existing private keys or create a new one in case you forgot to create one before starting the CSR creation.

Certificate Signing Request 6

As option, you can include Aliases into the field “X509v3 Subject Alternative Name”. Create the CSR with “OK”.

Certificate Signing Request 7

The CSR is ready.

Signing Process

Signing 1

Select the new CSR and “Export”.

Signing 2

Save the CSR to file in pem Format but with extension .csr

Signing 3

Open the CSR in an editor, select ALL and copy the content.

Signing 4

Open Website cacert.org and login into your account. Go into “Client Certificates” and “New”.

Signing 5

Activate advanced options and insert the CSR into the text area.

Select the email-addresses and your name to include. If presented, choose the signing certificate (only for community members with 50 AP or more) that you want your certificate signed with. Preferably you should use the class 3 certificate option here. Enter a comment for the certificate for future identification. “Next”

Signing 6

As result the new certificate will be displayed in the browser. Use the link “Download the certificate in PEM format” to save the certificate in the pem Format.

As an alternative you can select the cryptic blob of text below including the BEGIN/END CERTIFICATE lines for direct import using "Import (PEM)" in XCA.

Signing 7

See the certificate in “Client Certificates” and “View”.

Import certificate 1

Use “Import” in XCA to import the certificate result from the CA.

Import certificate 2

Import was successful.

Import certificate 3

The certificate is listed below the signer certificate you choose earlier.

Export PKCS#12 File

Export certificate 1

Select your new certificate and use “Export”.

Export certificate 2

Save your certificate export as PKCS#12 and

Export certificate 3

…define a Password to protect your private-key from unauthorized use. This password will be asked from you when importing this file into your browser or mail client.

You have a certificate in the PKCS#12 Format for the import into browser, email client, OS …

Congratulations!


HowTo/ClientCertCreate (last edited 2016-05-04 13:05:56 by AlesKastner)