česky | english
The simplest method to get client certificates
Suppose you are a newbie, and you have created your account at CAcert. You have also passed the CAcert's PING test to your primary email address. You have answered the confirmation email message containing the verification link and this sentence: "Once your account is verified you will be able to start issuing certificates till your hearts' content!". And you have clicked that link.
Small branch from the topic:
Delivery of PING test message requires its unsecured transfer from the CAcert server to your mail server. However, more and more e-mail servers now require secured transfers, frequently by using TLS protocol, which needs mail server to have confidence in CAcert to accept the message. Unfortunately, such a trust is almost always missing, as the receiving server usually have no CAcert root certificate installed, and that's why the message is not transferred. If that receiving server belongs to you or you can do an agreement with its administrator, these root certificates can be installed or, exceptionally, the TLS encryption request may be turned off for a while.
The problem occurs when using a public mail server (gmail.com etc.), for which you cannot want such an intervention. Then you need to agree with the administrator of a company, friendly to you, to take mail for your domain for a short time, allocate an e-mail address to your domain and receive messages addressed to you without TLS security or CAcert certificate installation. At the same time, you need to add an MX record to your DNS domain referencing that company's email server. If your domain has a TXT record with SPF definition, you also need to update it properly. For details see How the Ping Test Works.
In February 2019, CAcert installed the secure transfer protocol TLS 1.2 used also for Ping email. This protocol allows to establish an encrypted connection for message transfers following the SMTP protocol. An encrypted connection can be successfully built, as long as the receiver's mail server also supports TLS 1.2 protocol (RFC 5246, all public mail servers nowadays). TLS 1.2 has less strict requiremens to peers as the previous versions of TLS protocol. So the Ping email passes, although the recipient's server refuses unsecured connections. Moreover, there is no need of strict check of the "well known" CA's roots on both sides of the transfer. So, only the changes of your domain's DNS records remain.
Do you need your client certificate?
Surely you do. You can perform many actions with it: sign/encrypt your e-mail messages, login to your account, visit CAcert's websites and CAcert secured websites, ...
Go then and visit http://www.cacert.org with Firefox - important! There are difficulties with other browsers (Chrome, Opera, IE, Safari, Edge, ...) Some of them fail to create CSRs or save private keys, some don't support creating CSRs at all!
Firefox 60.0.1 (64-bit) was tested successfully on 20180606.
It was found (20180606) that Firefox ver. 60.0.1 "took the return" and again changed the algorithm of password protection of the private keys in exported files of type .p12. These files newly can be imported into Windows OS without any transformation. In difficulties the solution "I cannot import a .p12 file, exported by Firefox, into Windows" can be used.
Firefox 58.0.2 (64-bit) was tested successfully on 20180310.
It was found unfortunately (20180319) that Firefox ver. 59.0.1 has changed the algorithm of password protection of the private keys in exported files of type .p12. These files now fail to import into Windows OS, because everytime you enter the password, the password error occurs. Both Firefox and XCA program open the .p12 files correctly, and import certificates OK - but they both use their own repositories.
20180328 An Firefox user explains the reason (for experts!):
We issue certificates to customers for document signing. They use the certificates to sign orders. The software they use to place the orders require the certificate to be in the Microsoft Certificate store. Anyone that downloads their certificate using Firefox must backup the certificate to a .p12 then import into the Microsoft Certificate store using MMC/Certificates (or IE11).
The import into the Microsoft Certificate store fails with an error saying the .p12 password is incorrect. The problem seems to be the Encryption Iteration of 1,000,000. Microsoft doesn't handle that number.
If I convert the .p12 to a .pem using a third party conversion tool, then convert it back to a .p12 with a smaller Iteration, say 2048, it imports into IE just fine.
Is there a configuration option in Firefox to reduce the Encryption Iteration?
Mozilla have not answered this question yet. No such possibility exists on the page about:config.
Another solutions for Windows:
I cannot import a .p12 file, exported by Firefox, into Windows (with .p12 > PEM > .p12 conversion tutorial)
How to create a client certificate in Windows (including PKCS12 backup) with the XCA utility
How to create a client certificate in Windows (including PKCS12 backup) with MMC Certificates module
Get and install both CAcert's roots (w/o login, "Root certificate" in the right-side menu). They are named as: Class 1 PKI Key, Class 3 PKI Key. Select PEM or DER format. Firefox will install it immediately. At Class 1 PKI Key, please confirm the trustfulness.
Then login with your username/password. Go to "Client certificates -> New" in the CAcert website menu. The "New Client Certificate" page will appear.
Don't forget to add your email address (checkbox) and accept the CCA (another checkbox). Then press Next.
Select the key's cipher strength (keysize in # of bits) and press the wide button "Generate keypair within browser".
Firefox should then be able to successfully generate CSR and submit it to CAcert CA server, which will then create your client certificate. When your client certificate is ready, you will see it as Base64 text and information. Above, there are three links pointing methods, how to download/install it.
The simplest thing you can do is to use the install link. Or you can save your new client cert as a file and then install it into Firefox (Cert Manager: "Options -> Privacy & Security -> View Certificates -> tab Your Certificates -> Import..." in the ver. 58.0.2).
And then you should be able to see our Wiki with HTTPS, and what is even more important, to sign & encrypt your e-mail messages, or login to your CAcert account with your brand new client certificate.
Finally, an important warning:
Firefox saves all certificates into its own repository. Thus, if you want to install both CAcert roots and your client certificates into another repository (e.g. that of an operating system, as Windows need), you have to install root certificates there and "backup" (e.g. export into a .p12 file) your client certificates. You can export them from the Cert Manager of Firefox, see above and use "Export..." in the end. The file exported will contain your private key and your certificate. Thus, Cert Manager will ask you for a password (enter twice), which you will have to unlock the file with, if you will import the certificate later. You will possibly need to import it both into an operating system and into other browsers, if you prefer some instead of Firefox.
The Firefox browser has though its own certificate repository, but you can set Firefox to read CA root and intermediate certificates from the Windows system repository. You can find that setting on the Firefox's configuration page about:config as security.enterprise_roots.enabled and swap it from false to true.
Articles about getting a client cert
All the wiki contents are available via both HTTP and HTTPS !
Frequently Asked Questions (Issues, Tutorials, Error solving - do not miss!)
Procedures for client certificates:
CSR (Certificate Signing Request)