## 20160504 AK ---- [[HowTo/ClientCertCreate/CZ|česky]] | [[HowTo/ClientCertCreate/DE|deutsch]] | '''english''' ---- = CAcert Client Certificate – Step by Step = By Stefan Thode This document instructs to request a certificate and prepare it to get a PKCS#12 file. In this document I used the CAcert test system. The usage is similar to the production system. == Prerequisites == Imported and trusted “CAcert Public Root Certificate” in the Web-Browser. Installed certificate manager XCA http://sourceforge.net/projects/xca/ Activated account at https://secure.cacert.org == Preparation == {{attachment:Capture1.PNG|Preface|width=780}} Start XCA. At the “File” menu use “New DataBase” to create a certificate database and save it to a file. Don’t lose your password to the new database! Or open an existing database from your filesystem. {{attachment:Capture16.PNG|The database}} Go into tab “Certificates”. {{attachment:Capture17.PNG|Roots import 1}} Use “Import” to allow XCA to recognize certificates of CAcert. {{attachment:Capture18.PNG|Roots import 2}} Import the “CAcert Public Root Certificates” “root” and “class3” in this order. {{attachment:Capture30.PNG|Roots import 3 - trust}} Trust the imported “CAcert Public Root Certificates” in the Context Menu with “Trust”. == Private Key == {{attachment:Capture2.PNG|Private key 1}} Go into tabs “Private Keys”. {{attachment:Capture3.PNG|Private key 2}} Use “New Key” for a new Private Key. {{attachment:Capture4.PNG|Private key 3}} Choose a name for the new key with e.g. the intended purpose included. This name is for your reference only. Use a speaking name of the Key with the planned purpose, that you can identify the Key for reuse of this purpose. Furthermore you need to select the type and strength (size) of the key that should be generated. Currently RSA with 4096 bit is fine. {{attachment:Capture5.PNG|Private key 4}} The new Private Key is ready and… {{attachment:Capture6.PNG|Private key 5}} …appears in your list of private Keys. == Certificate Signing Request – CSR == {{attachment:Capture7.PNG|Certificate Signing Request 1}} For the next step go into tab “Certificate signing requests”. {{attachment:Capture8.PNG|Certificate Signing Request 2}} Use “New Request” to create a CSR. {{attachment:Capture9.PNG|Certificate Signing Request 3}} Select a certificate template first and apply it, then choose the signature algorithm. {{attachment:Capture10.PNG|Certificate Signing Request 4}} Go into tab “Subject”. {{attachment:Capture11.PNG|Certificate Signing Request 5}} Select the Private Key to use, Insert the „Internal Name“ and the „emailAddress“. In the bottom of the dialog you can choose to select one of the existing private keys or create a new one in case you forgot to create one before starting the CSR creation. {{attachment:Capture31.PNG|Certificate Signing Request 6}} As option, you can include Aliases into the field “X509v3 Subject Alternative Name”. Create the CSR with “OK”. {{attachment:Capture13.PNG|Certificate Signing Request 7}} The CSR is ready. == Signing Process == {{attachment:Capture14.PNG|Signing 1}} Select the new CSR and “Export”. {{attachment:Capture15.PNG|Signing 2}} Save the CSR to file in pem Format but with extension .csr {{attachment:Capture19.PNG|Signing 3|width=780}} Open the CSR in an editor, select ALL and copy the content. {{attachment:Capture20.PNG|Signing 4|width=780}} Open Website cacert.org and login into your account. Go into “Client Certificates” and “New”. {{attachment:Capture21.PNG|Signing 5|width=780}} ||<#FF8080> Have you noticed in the picture above that the radio button is at '''Class 3'''? It doesn't work the other way round! || Activate advanced options and insert the CSR into the text area. Select the email-addresses and your name to include. If presented, choose the signing certificate (only for community members with 50 AP or more) that you want your certificate signed with. Preferably you should use the class 3 certificate option here. Enter a comment for the certificate for future identification. “Next” {{attachment:Capture22.PNG|Signing 6|width=780}} As result the new certificate will be displayed in the browser. Use the link “Download the certificate in PEM format” to save the certificate in the pem Format. As an alternative you can select the cryptic blob of text below including the BEGIN/END CERTIFICATE lines for direct import using "Import (PEM)" in XCA. {{attachment:Capture23.PNG|Signing 7|width=780}} See the certificate in “Client Certificates” and “View”. {{attachment:Capture24.PNG|Import certificate 1}} Use “Import” in XCA to import the certificate result from the CA. {{attachment:Capture25.PNG|Import certificate 2}} Import was successful. {{attachment:Capture26.PNG|Import certificate 3}} The certificate is listed below the signer certificate you choose earlier. == Export PKCS#12 File == {{attachment:Capture27.PNG|Export certificate 1}} Select your new certificate and use “Export”. {{attachment:Capture28.PNG|Export certificate 2}} Save your certificate export as PKCS#12 and {{attachment:Capture29.PNG|Export certificate 3}} …define a Password to protect your private-key from unauthorized use. This password will be asked from you when importing this file into your browser or mail client. You have a certificate in the PKCS#12 Format for the import into browser, email client, OS … Congratulations! ---- . CategoryStepByStep . CategoryTutorials