How to create a certificate with another browser (even if you get an error message from Firefox or Chrome)

Problem

I have not been able to generate client certificates for a week. Both in Firefox, Chrome and Internet Explorer...

Is there any information on this?

Solution

The last time I successfully generated a certificate was in July 2019 with the then current Firefox. In the current version, which you probably also have, as well as in Chrome, the certificate generation doesn't work anymore, because the current browsers obviously don't support the <keygen>-HTML element used so far anymore.

I helped myself to install the Palemoon browser (a well maintained fork of the old Firefox) and did the certificate generation with it.

You can also install similar browser Seamonkey.

In my opinion, this is the easiest way to do this without playing around with OpenSSL and manually generating a key pair and a CSR. If you know how to do this, you can do it as well, you would have to open the advanced options during creation and insert the CSR there.

/!\ NOTE /!\

Palemoon and Seamonkey are a Firefox clones; thus each has its own certificate store, but it doesn't copy certificates from the Firefox store automatically!

To open the Palemoon's Certificate manager: Palemoon browser window - blue box at the top left - Preferences - Preferences - Advanced - View Certificates tab in the Preferences dialog box. For Seamonkey: browser window - from the Edit menu - Preferences - new dialog opens - Privacy and Security - Certificates - open Manage Certificates window. The certificate window is very similar to that of Firefox.

First you need to install CAcert's roots into the Palemoon's or Seamonkey's certificate store. The shortest option is to go directly to http://www.cacert.org/index.php?id=3 (NOT https!) with Palemoon. First select a Class 1 PKI key, PEM format, check trust in all 3 checkboxes, then select a Class 3 PKI key, PEM format, no trust is needed (will be inherited) - and you have given trust to the CAcert certification authority: your further communications with CAcert sites will be performed in the https protocol.

If you want to sign in with your existing certificate, you must also import it from the .p12 or .pfx file in Certificate Manager - if you do not have it, you will have to log in with your username and password. After logging in, you can have the Palemoon or Seamonkey browser generate and apply for a new certificate request.

More help

The alternatives with CSR are described in the Wiki, section "Create Certificates" https://wiki.cacert.org/TutorialsHowto

The background can be deepened in the CAcert bugs http://bugs.cacert.org/view.php?id=1417

(answers by ST, GT, translation by DL)

HowTo/ClientCertCreate4 (last edited 2020-02-02 13:56:06 by AlesKastner)