## 20240201 AK
----
[[HowTo/Generate-new-CSR/CZ|česky]] | '''english'''
----
= How to generate a new P12 formatted certificate with CAcert's browser application =
The web application is located [[https://community.cacert.org/clientcert|here]]. It can be used in any browser. The result is a file in the P12 (PFX) format, which can be imported into the same or other web browser or Windows OS.
The procedure is completely straightforward and is described directly in the application.
* First, two new RSA keys (private & public) and a Certificate Signing Request (CSR) are generated.
* Then it is necessary to "jump" to the Cacert website to transfer the generated CSR there, add requests (Email addresses, name, and/or other), and wait for the answer - certificate,
* then transfer the new certificate back to the application, where a P12-formatted file will be created.
* That P12 file contains CAcert roots, your new certificate and your new private key that must be encrypted with a password, which you have to create and enter.
* You can then download the finished file to your computer. Then you can import it into a browser or OS (Windows).
|| /!\ '''NOTE:''' The certificate & the corresponding private key, both created by this application, are packed into output P12 type file, and '''that is the only output from the application. /!\ <
> /!\ Neither new private keys nor new certificates are written into the browser, where you run the application.''' /!\ ||
== Detailed procedure ==
=== 1. Generate CSR, private and public key ===
After start, the application start page will be shown.
There is a resizeable CAcert logo, application name and the progress bar in the header.
{{attachment:Client-cert-gen-0.gif|First page of the app}}
Fill in your name - since it will be completed by the Cacert website, it can be basically any. Select the length of the keys - the power of encryption. The preset value is 3072. The value of 2048 is marked as most compatible but least safe. Press the blue "Generate..." button and wait for the keys to be generated; the progress can be viewed on the bar in the page header.
=== 2. Transfer CSR to Cacert form ===
After generating, you can see this on the page:
{{attachment:Client-cert-gen-1.gif|CSR generated}}
The bar is blue and announces that a CSR is prepared to be submitted to the CAcert's signer. You can see the rest of the page by shifting the page down:
{{attachment:Client-cert-gen-2.gif|Private key; CSR to Clipboard}}
The red button will show the new private key, which you probably won't use. The following is a Base64 CSR listing and a blue button to get the CSR to the Clipboard, which will be useful in the next step.
{{attachment:Client-cert-gen-3.gif|Transfer the new certificate to the app}}
=== 3. Issue the certificate ===
In the next text you can see a link to the Cacert Web. Use it, log in, go to the page "Client Certificates - New". Here, select email addresses for the certificate, or name and check "Show advanced options". Put the cursor in the large text box and insert the CSR from the clipboard using the Ctrl-V key combination. With a higher number of AP points, you can also select code signing and/or SSO. Do not forget to check the confirmation of the CCA agreement. Press "Next".
{{attachment:Client-cert-gen-5-en.gif|The page New cert.}}
After the certificate is issued, the page where it is displayed will be shown. Select the whole range e.g. with the mouse, including the initial and final comments and use Ctrl-C to transfer it into the Clipboard.
{{attachment:Client-cert-gen-6-en.gif|Issued certificate}}
Do not use the links at the top of this page. It is useless, because:
1. You have no way how to import the private key, except from a P12 formatted file, which you don't have ready yet.
2. The P12 formatted file is the best backup of your new certificate & private key, thus there is no need to save the only certificate in other formats.
Now return to the application. There, put the cursor in the big text box below under the link to Cacert Web. Use Ctrl-V to insert the certificate from the clipboard to that text box.
=== 4. Create a P12 formatted file containing the new certificate and the new private key ===
The application has both a certificate and a private key (which hasn't been sent anywhere) available now. It asks for a password for the security encryption of the private key. Create a password and enter it. You can see it by holding the mouse on the icon on the right. Then, press the blue "Prepare download" button.
{{attachment:Client-cert-gen-4.gif|Download the P12 file}}
=== 5. P12 file download ===
Finally, the text appears that the P12 file is ready. You can download it now, and then import it into browsers, Windows OS, and/or other software. Press the green button "Download", name the file (preserving the suffix .p12) and save it.
=== 6. Import a P12 file into a browser or operating system ===
==== Principles ====
You can import the P12 file (.p12 or .pfx extension):
1. to the Windows OS using the MMC-Certificates utility,
1. to Windows OS via the Certificate Manager in Edge, Chrome, Opera, Vivaldi, Brave (and other browsers using Windows certificate store),
1. to the browser's own certificate store (Firefox, Basilisk, Seamonkey, Palemoon and others),
1. to a custom store on Linux systems (Firefox, Chromium and other browsers used here).
How to open Certificate Manager for the most commonly used browsers:
. (Unless otherwise noted, you can access Settings using the "3 horizontal bars" icon, called a "hamburger", in the upper right corner of the window.)
* Edge ver. 114.0.1823.51: Settings - Privacy,... - In the right pane of the window, scroll down to the Security heading - the Manage Certificates link will bring up the Windows Personal Certificate Management system window
* Chrome ver. 114.0.5735.134: Settings - Privacy and Security - in the right pane of the window, scroll down to the Security link - scroll down and use the "Manage Device Certificates" link - the Windows Personal Certificate Management system window will appear
* Opera ver. 99.0.4788.47: Icon top left corner of the window - Settings - Privacy & Security - in the right pane, use the Security link - use the "Manage Device Certificates" link, which again displays the Windows Personal Certificate Management system window
* Vivaldi ver. 6.1.3035.75: Icon top left corner of the window - Settings - Privacy & Security - in the right pane, scroll down to SECURITY - click "Manage Certificates" to display the Windows Personal Certificate Management system window
* Brave ver. 1.52.126: Settings - Privacy & Security - in the right pane, scroll down to Security - use the "Manage Device Certificates" link to display the Windows Personal Certificate Management system window again
* Firefox ver. 114.0.1: Settings - Privacy & Security - in the right pane of the window, scroll down to the Certificates heading - click the "View Certificates..." button
* Basilisk ver. 2023.05.17: Preferences - Advanced - in the right pane at the top select Certificates - button "View certificates"
* Seamonkey ver. 2.53.16: Edit menu - Preferences - expand Privacy & Security - in the right pane, click "Manage Certificates" button
* Palemoon ver. 32.2.0: blue PaleMoon rectangle on top left - Preferences, or menu Tools - Preferences - new dialog box, top right Advancsd - View Certificates button
* Chromium ver. 114.0.5735.106: Settings - Privacy & Security - in the right pane of the window, go to the Security link - scroll down to the Manage Certificates link - go to the
==== Certificate Manager Firefox/Basilisk/Palemoon/Seamonkey ====
{{attachment:Client-cert-gen-6.gif|Správce certifikátů Firefox - Authorities}}
The CAcert root certificate can be found in the Authorities tab under "R" (Root CA). Use the highlighted button to check your machine's trust in the CAcert root certificate. In the next dialog, all options for "Root CA" - "CA Cert Signing Authority" must be checked.
{{attachment:Client-cert-gen-7.gif|Správce certifikátů Firefox - Your Certificates}}
Import the created keys and certificate from the P12 file on the "Your Certificates" tab by clicking the "Import..." button. Enter the name of the created P12 file and the password you set when creating the file. The Certificate Manager should report success and after pressing OK the imported certificate will appear in his window.
==== Chrome Certificate Manager ====
{{attachment:Client-cert-gen-8.gif|Certificate Manager in Chrome - Your Certificates, under Authorities}}
In the Chrome Certificate Manager on Linux, the "Your Certificates" tab just says "org-" and the name of the certificate. When expanded, you can then see the names of your certificates and view their contents, where you can only see which authority issued them. To add a new certificate from the P12 file, click the "Import" button. Again, you need to enter the private key password.
{{attachment:Client-cert-gen-9.gif|Certificate Manager in Chrome - Authorities}}
If you want to check the trust in a certification authority, you can find it on the Authorities tab. The name starts with org-Root CA, which can be expanded as indicated. The trust can then be edited by selecting "Edit" from the menu on the right (3 dots). Check all options if they are not already selected.
==== Windows certificate management available from browsers ====
{{attachment:Client-cert-gen-10.gif|Certificate Manager in Windows - Your Certificates}}
. Labels:
* Osobní - Personal (Your Certificates)
* Ostatní uživatelé - Other Users
* Zprostředkující... - Intermediate CA's
* Důvěryhodné... - Trusted Root CA's
* Vystaveno pro - Issued for
* Vystavitel - Issuer
* Datum uk... - Date of Expiration
* Popisný název - Descriptive Name
* Importovat - Import
* Odebrat - Remove
* Zobrazit - Display
* Zavřít - Close
* Zamýšlený účel: - Purpose:
If you are running a browser on Windows, using the system storage, then you will see this window as the Certificate Manager window. It is actually part of the MMC-Certificates utility view of the system store. What is missing here is the left - tree - pane where we would see that these are the personal certificates of the current user. Here we can import the created P12 file using the highlighted button. This will launch the Certificate Import Wizard, where you select the P12 file (with the .p12 extension) to import.
/!\ Note that the following file selection defaults to .crt/.cer files; you need to select "Personal Information Exchange" files with .pfx/.p12 extensions. /!\
The wizard will walk you through the entire import process. Once it is complete, you can check the imported certificate by opening it. At the bottom of the certificate window, you should see a key icon and the text "You have a private key that matches this certificate".
On the other hand, it is not necessary to check the trust to the CAcert root certificate (class 1), because it has to be confirmed when importing it into Windows.
{{{#!Wiki note
||<#2080E0> Note: Using P12 files, it is possible to have a scenario where the CAcert root certificates are not yet installed on the device where you want to install the certificate and private key. You can also install these from the P12 file at the same time, but you must follow certain rules: ||
||<#2080E0> 1. When importing with Windows as the target, you must leave the automatic storage selection in the Wizard so that the different parts of the P12 file fit into the correct storage locations. ||
||<#2080E0> 2. When importing targeting a custom browser/Linux repository, you need to check/set the trust to the class 1 root certificate after importing. ||
}}}
----
. CategoryStepByStep
. CategoryTutorials