česky | english
The simplest method to get client certificates
Suppose you are a newbie, and you have created your account at CAcert. You have also passed the CAcert's PING test to your primary email address. You have answered the confirmation email message containing the verification link and this sentence: "Once your account is verified you will be able to start issuing certificates till your hearts' content!". And you have clicked that link.
Small branch from the topic:
Delivery of PING test message requires its unsecured transfer from the CAcert server to your mail server. However, more and more e-mail servers now require secured transfers, frequently by using TLS protocol, which needs mail server to have confidence in CAcert to accept the message. Unfortunately, such a trust is almost always missing, as the receiving server usually have no CAcert root certificate installed, and that's why the message is not transferred. If that receiving server belongs to you or you can do an agreement with its administrator, these root certificates can be installed or, exceptionally, the TLS encryption request may be turned off for a while.
The problem occurs when using a public mail server (gmail.com etc.), for which you cannot want such an intervention. Then you need to agree with the administrator of a company, friendly to you, to take mail for your domain for a short time, allocate an e-mail address to your domain and receive messages addressed to you without TLS security or CAcert certificate installation. At the same time, you need to add an MX record to your DNS domain referencing that company's email server. If your domain has a TXT record with SPF definition, you also need to update it properly. For details see How the Ping Test Works.
In February 2019, CAcert installed the secure transfer protocol TLS 1.2 used also for Ping email. This protocol allows to establish an encrypted connection for message transfers following the SMTP protocol. An encrypted connection can be successfully built, as long as the receiver's mail server also supports TLS 1.2 protocol (RFC 5246, all public mail servers nowadays). TLS 1.2 has less strict requiremens to peers as the previous versions of TLS protocol. So the Ping email passes, although the recipient's server refuses unsecured connections. Moreover, there is no need of strict check of the "well known" CA's roots on both sides of the transfer. So, only the changes of your domain's DNS records remain.
Do you need your client certificate?
Surely you do. You can perform many actions with it: sign/encrypt your e-mail messages, login to your account, visit CAcert's websites and CAcert secured websites, ...
Go then and visit CAcert with Palemoon or Seamonkey - important! There are difficulties with other browsers (Firefox, Chrome, Opera, IE, Safari, Edge, ...) Some of them fail to create CSRs or save private keys, some don't support creating CSRs at all!
Palemoon ver. 28.8.3 (64-bit) and Seamonkey ver. 2.49.5 (64-bit) was tested successfully on 202002.
Get and install both CAcert's roots (w/o login, "Root certificate" in the right-side menu). They are named as: Class 1 PKI Key, Class 3 PKI Key. Select PEM or DER format. The browser will install it immediately. At Class 1 PKI Key, please confirm the trustfulness.
Then login with your username/password. Go to "Client certificates -> New" in the CAcert website menu. The "New Client Certificate" page will appear.
Don't forget to add your email address (checkbox) and accept the CCA (another checkbox). Then press Next.
Select the key's cipher strength (keysize in # of bits) and press the wide button "Generate keypair within browser".
The browser should then be able to successfully generate CSR and submit it to CAcert CA server, which will then create your client certificate. When your client certificate is ready, you will see it as Base64 text and information. Above, there are three links pointing methods, how to download/install it.
The simplest thing you can do is to use the install link. Or you can save your new client cert as a file and then install it into the browser via its Certificate Manager:
Palemoon : "blue Palemoon button in the upper left corner of the window -> Preferences -> Preferences -> Advanced -> View Certificates -> Your Certificates tab -> Import ...";
Seamonkey: "Edit menu -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates -> Personal tab -> Import ...").
And then you should be able to see our Wiki with HTTPS, and what is even more important, to sign & encrypt your e-mail messages, or login to your CAcert account with your brand new client certificate.
Finally, an important warning:
Both Palemoon and Seamonkey browsers save all certificates - each into its own repository. Thus, if you want to install both CAcert roots and your client certificates into another repository (e.g. that of an operating system, as Windows, needs), you have to install root certificates there and "backup" (e.g. export into a .p12 file) your client certificates. You can export them from the Cert Manager of Palemoon or Seamonkey, see above and use "Export..." in the end. The file exported will contain your certificate and your private key. Thus, Cert Manager will ask you for a password (enter twice), which you will have to unlock the file with, if you will import the certificate later. You will possibly need to import it both into an operating system and into other browsers, if you prefer some instead of Palemoon or Seamonkey.
The Palemoon and Seamonkey browsers have though each its own certificate repository, but you can set them to read CA root and intermediate certificates from the Windows system certificate repository. You can find that setting on their configuration page about:config as security.enterprise_roots.enabled and swap it from false to true.
Articles about getting a client cert
All the wiki contents are available via both HTTP and HTTPS !
Frequently Asked Questions (Issues, Tutorials, Error solving - do not miss!)
Procedures for client certificates:
CSR (Certificate Signing Request)