The simplest method to get client certificates

Suppose you are a newbie, and you have created your account at CAcert. You have also passed the CAcert's PING test to your primary email address. You have answered the confirmation email message containing the verification link and this sentence: "Once your account is verified you will be able to start issuing certificates till your hearts' content!". And you have clicked that link.

A little digression from the topic:
Delivery of PING test message requires its unsecured transfer from the CAcert server to your mail server. However, more and more e-mail servers now require secured transfers, frequently by using TLS protocol, which needs mail server to have confidence in CAcert to accept the message. Unfortunately, such a trust is almost always missing, as the receiving server usually have no CAcert root certificate installed, and that's why the message is not transferred. If that receiving server belongs to you or you can do an agreement with its administrator, these root certificates can be installed or, exceptionally, the TLS encryption request may be turned off for a while.
The problem occurs when using a public mail server ( etc.), for which you cannot want such an intervention. Then you need to agree with the administrator of a company, friendly to you, to take mail for your domain for a short time, allocate an e-mail address to your domain and receive messages addressed to you without TLS security or CAcert certificate installation. At the same time, you need to add an MX record to your DNS domain referencing that company's email server. If your domain has a TXT record with SPF definition, you also need to update it properly. For details see How the Ping Test Works.

In February 2019, CAcert installed the secure transfer protocol TLS 1.2 used also for Ping email. This protocol allows to establish an encrypted connection for message transfers following the SMTP protocol. An encrypted connection can be successfully built, as long as the receiver's mail server also supports TLS 1.2 protocol (RFC 5246, all public mail servers nowadays). TLS 1.2 has less strict requiremens to peers as the previous versions of TLS protocol. So the Ping email passes, although the recipient's server refuses unsecured connections. Moreover, there is no need of strict check of the "well known" CA's roots on both sides of the transfer. So, only the changes of your domain's DNS records remain.

Do you need your client certificate?
Surely you do.
You can perform many actions with it: sign/encrypt your e-mail messages, login to your account, visit CAcert's websites and CAcert secured websites, ...

Go then and visit CAcert with Basilisk, Palemoon, or Seamonkey - important! There are difficulties with other browsers (Firefox, Chrome, Opera, IE, Safari, Edge, ...). Some of them fail to create CSRs or save private keys, some don't support creating CSRs at all!

Get and install both CAcert's roots (w/o login, "Root certificate" in the right-side menu). They are named as: Class 1 PKI Key, Class 3 PKI Key. Select PEM or DER format. The browser will install it immediately. At Class 1 PKI Key, please confirm the trustfulness.

In order to download and install CAcert root certificates for the first time, you must use the link (NOT https!) There is a similar problem to the one outlined in the "Little digression" above. In addition, many web browsers now have an "HTTPS-only" mode in which they will not allow any contact with any site other than via the "https" protocol, so you cannot contact sites in this mode other than those whose certificate authority (CA) root certificates are already pre-installed in the browser (and CAcert is not one of those CAs yet).
By installing CAcert root certificates, you are also expressing your trust in this CA of your choice. When trusting the CAcert website, feel free to use the http: protocol, as the cryptographic fingerprints of the root certificates are published on the CAcert website for inspection, which is a much better security method than using https. You can check the cryptographic fingerprints by viewing the root certificate details - in Windows (root_X0F):
SHA1 fingerprint - Windows
and in XCA (class3_X14E228):
Fingerprints - XCA
with fingerprints published on the CAcert website.
For more details about installing root certificates, see this Wiki article.

Then login with your username/password. Go to "Client certificates -> New" in the CAcert website menu. The "New Client Certificate" page will appear.

Set properties of the new certificate

Don't forget to add your email address (checkbox) and accept the CCA (another checkbox). Then press Next.

Select keysize and GO!

Select the key's cipher strength (keysize in # of bits) and press the wide button "Generate keypair within browser".

The browser should then be able to successfully generate CSR and submit it to CAcert CA server, which will then create your client certificate. When your client certificate is ready, you will see it as Base64 text and information. Above, there are three links pointing methods, how to download/install it.

Your Client Certificate is issued

The simplest thing you can do is to use the install link. Or you can save your new client cert as a file and then install it into the browser via its Certificate Manager:

And then you should be able to see our Wiki with HTTPS, and what is even more important, to sign & encrypt your e-mail messages, or login to your CAcert account with your brand new client certificate.

Finally, an important warning:
Both Palemoon and Seamonkey browsers save all certificates - each into its own repository.
Thus, if you want to install both CAcert roots and your client certificates into another repository (e.g. that of an operating system, as Windows, needs), you have to install root certificates there and "backup" (e.g. export into a .p12 file) your client certificates. You can export them from the Cert Manager of Palemoon or Seamonkey, see above and use "Export..." in the end. The file exported will contain your certificate and your private key. Thus, Cert Manager will ask you for a password (enter twice), which you will have to unlock the file with, if you will import the certificate later. You will possibly need to import it both into an operating system and into other browsers, if you prefer some instead of Palemoon or Seamonkey.

The Palemoon and Seamonkey browsers have though each its own certificate repository, but you can set them to read CA root and intermediate certificates from the Windows system certificate repository. You can find that setting on their configuration page about:config as security.enterprise_roots.enabled and swap it from false to true.

Articles about getting a client cert

All the wiki contents are available via both HTTP and HTTPS !

Procedures for client certificates:


TutorialsHowto/CCforNewbies2 (last edited 2022-02-27 22:09:39 by AlesKastner)