How to install a client certificate (Step-by-step Guide)
This is a detailed description how to install a client certificate.
Install a client certificate
Login to your CAcert account. Then in the menu at the right side go to "Client Certificates" --> "New". At the page opening in the first line check at "Add" the email addresses you want to referred by the certificate.
Next, if you have more than 50 assurance points, select the name variant (the name parts) you want to have in the client certificate. "Enable certificate login with this certificate" should be checked, it is default. If "Show advanced options" is checked, secondary options appear. If you check it, better select "No Single Sign On ID". Then select, which root should your certificate signed with: either Class 1 or Class 3. Preferably use Class 3.
Normally the window "Optional Client CSR" has to be empty. Then the following runs mostly automatically. You should do so.
Alternatively you can create a CSR with an external program and post it in this window. Then the creation of the client certificate is manually and you really have to know what you do.
So I assume this window is empty. Check "I accept the CAcert Community Agreement (CCA)" and click to "Next". At "Keysize" keep the default security level "High" and click on "Create Certificate". Now CAcert instructs your browser to create a certificate consisting of a private key and a public key. The private key normally never leaves your system or your browser (if it's Firefox). The public key is sent to CAcert, signed and registered and sent back as your new client certificate.
Your browser is busy some time ("Generating keys. Please wait.") and then you get the menu
- Install the certificate into your browser
- Download the certificate in PEM format
- Download the certificate in DER format
and the contents of the new client certificate. A basic information about the new certificate is added. An example follows:
CAcert web also sends an informative message (with the link to the new certificate) to your email address.
Normally you should select the first option, but you can also select the second or third option to save the certificate as a disk file and install it manually. I assume you select the first option. Then you get the message "Your personal certificate has been installed. You should create a security copy (backup) of your certificate". If you click "ok" all is done.
In Firefox 47.0a2 at "Open menu -> Options -> Advanced -> Extended -> Certificates" click "View certificates". The Certificate Manager window opens. You can check in the tab "Your Certificates", whether your new certificate is present.
Now you can select this certificate and click to "Backup...". Then you get a file menu where you can select into which directory and under which file name you want to safe the certificate file. Take care for this file. It contains the complete certificate including the private key. If it falls in the the hands of the wrong people (criminals), they can take over your identity and use certificates in your name.