How to create CAcert client certificate with command line tools (Windows 10 and older)
By Gero Treuner
Overview
Windows 10 provides command line utilities for all necessary steps to create a public/private key, get a certificate from CAcert and export it for use in other applications - where web browsers as Firefox manage certificates separately - or on other machines.
These are the steps:
- Create a public/private key and a Certificate Signing Request (CSR) with a common template.
- Submit the CSR to the CAcert CA, obtain the client certificate and store it (in the PEM format) into a CRT file.
- Import the certificate to the "Personal" certificates of the current user (you). Then it will link with the private key. You can use it in one or more computer(s) in their systems and client programs as web browsers (Internet Explorer, Edge, Firefox, Chrome,...), and e-mail clients (Outlook, Thunderbird, The Bat,...). What is important here, is the purpose of the client certificates - their use in client programs. The computer itself can be a PC, a laptop, a workstation, a server, a tablet, or a "smart" cell phone.
- If you need to use your client certificate on another computer, you will need to export the certificate with the corresponding private key into a P12-type file with PFX extension. You can import it to a target computer and/or client program. If the operating system is Windows, use the MMC certificate module, on tablets or cell phones opening the file is frequently sufficient.
Preparation
After that you will have:
- A working folder for the files needed during the course of creating a certificate
- A parameter file downloaded and dropped there
- An open command window for processing
Open Windows explorer: holding down the "Win" key and typing "e" (or via the menu).
Create a new folder by the context menu: Click the right mouse button and select "New Folder".
Download CSR.inf and save it to the new folder.
If you are familiar with certificates, you can edit file CSR.inf and adjust the parameters for the key. The provided file specifies RSA encryption with a strong key length. "FriendlyName" will be shown later in the Windows certificate store and can be adjusted as you like. Completely ignored are "Subject" and "KeyUsage" (for CAcert) - you will select the possible usage and personal data to include later in the web portal.
[NewRequest] Subject = "CN=dummy.createnewcsr.cacert.org" ExportableEncrypted = true HashAlgorithm = sha256 KeyAlgorithm = RSA KeyLength = 4096 KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE" RequestType = PKCS10 FriendlyName = "MyCertificateFromCAcert"
Finally open a command window for the folder you created above: Hold down the Shift key and clicking the right mouse key on that folder - select "Open command window here" from the menu.
Create a public/private key and a Certificate Signing Request (CSR)
In the command window type the command below followed by the enter (return) key:
certreq -new CSR.inf CSR_for_CAcert.req
That's it - in the background a key has been added to your personal certificate store and a CSR file created (for submission to CAcert) with name "CSR_for_CAcert.req".
On error message check paths and whether CSR.inf really resides in the current folder (which is shown in the so called "prompt" in the command window).
CSR submitting and getting the certificate
Open the file "CSR_for_CAcert.req" with your CSR in Notepad. Select all the contents and copy it to the clipboard (Ctrl-A, then Ctrl-C).
Login to your CAcert account and select "New" from the menu "Client certificates":
Check the box "Show advanced options". More contents will display; use the large text box "Optional Client CSR...". Paste the CSR contents (Ctrl-V) in that box. Enter a comment into the "Optional comment" box above; it will identify your new certificate in the list in your account only.
Don't forget to claim your agreement with the CAcert Community Agreement by checking the box below. Press the "Submit" button.
CAcert issues your client certificate. You can download it in the PEM format (.crt file suffix) or in the DER format (.cer suffix) and save it to the folder created earlier, where you have the command window open. Remember that the certificate does not contain the private key as it remains on the computer, where your CSR have been created.
Importing the certificate into the operating system
Suppose that you have downloaded the certificate in the PEM format into the file with .crt suffix. Now, you need to import the certificate into the operating system (Windows 10).
In the command window type the command below - inserting the name of the downloaded certificate file - followed by the enter (return) key:
certreq -accept <name-of-downloaded-cert>.crt
Export or backup the client certificate
You may export a certificate with corresponding private key to a P12-formatted file with the PFX suffix. This way you can make backups, but you can also transfer a certificate with corresponding private key to another computer, tablet, cell phone etc., and also to the client programs having their own certificate repository, as the web browser Firefox and e-mail client program Thunderbird.
Open the Certificate Manager: Hold down the "Win" key and type "R". In the command line enter followed by the enter (return) key:
certmgr.msc
Display the menu through right clicking on the certificate item. Select „All tasks“ - „Export“.
An export wizard appears. You will need to make an important decision on the second page. Selecting the private key export, you also select the output format P12 (.pfx suffix) and the whole process of the export at the same time. Press the "Next" button.
The PKCS 12 (P12) formatted file with the PFX suffix is already preselected. You can add more useful options, as suggested (see the picture). „Include all certificates in the certification path...“ enables to import also root certificate(s) of the CA from the resulting file (CAcert in this case).
„Export all extended properties“ is set rather for to be sure.
You surely don't wish to „Delete the private key if the export is successful“, as you need to keep the posibility for the certificate to work, if you want to transfer it from the computer, you have created the certificate (with the CSR) on, to another computers / cell phones / tablets...
Select and enter your password twice. (Groups and usernames belong to the concept of the Microsoft Active Directory [AD], do not use them here). Continue with the "Next" button.
Enter the path and filename of P12-formatted file with the .pfx suffix, where the certificate and the private key will be saved. After pressing the "Next" button a summary will be displayed. Then (after hitting "Complete") the confirming dialog appears. Press OK.
You can import the client certificate and the private key on a different computer (e.g. laptop) by transferring the PFX file and importing from it.