Client Certificate FAQ
Client Certificates can be used both for secure login (authentication) and encryption (privacy). Most email and instant messages are unencrypted and thus are sort of like postcards. This means that people with access to the network can read them. That often includes those with access to wireless networks you use, personnel at your ISP, those who run the services you use, governmental authorities and others.
Your CAcert client certificates can make your use of the Internet more secure by allowing you to create emails and instant messages that are encrypted end-to-end, and by letting you log into web pages in ways that can be more secure than using a password. You can also sign messages and electronic documents.
Contents
Applications
You can use your Client Certificate in many applications for a lot of purposes. Here are some examples.
Email Clients
Personal EmailCertificates - How to configure and to how to use them.
Webbrowser
You can use a client certificate in your web browser to get authenticated on websites. The CATS AssurerChallenge is one such, and this site requires you to have a CAcert client certificate.
Using client certificates for login is considered more secure than using passwords. The CAcert website is also enabled to accept client certificates instead of passwords. If your certificate is installed, click on Certificate Login instead of "Normal Login" at https://www.cacert.org/.
However before this will work you need to create a client certificate and import it into your web browser.
Log in to the CAcert website and choose "Client Certificate -> New".
- Select your default email address and click "Next".
- 2048 bit won't hurt, just click "Create Certificate Request".
- Wait some time and click on the link to import the certificate.
Instant Messaging (IMs)
Most of the common Instant Messaging Clients for Jabber, MSN, AIM, ICQ, etc. don't encrypt your messages by default. But you can sometimes encrypt your instant messages.
Examples
- S/MIME (CAcert Certificate) - planned for Jabber; supposed to work with AIM
- GPG/PGP - psi Jabber Client; kopete
- OTR - Gaim; adium; Jabber Proxies
Note: there were reports that AOL asserted the right to use your AIM messages for any purpose, but they say that was a misinterpretation: http://www.snopes.com/computer/internet/aim.asp
OpenSSH
Using your CAcert client certificate to login via SSH (on Linux):
- generate a client certificate
- export it as PKCS12 file ( e.g. to /home/user/MyCert.P12 )
- convert it to PEM ( run openssl pkcs12 -in /home/user/MyCert.P12 -out /home/user/.ssh/id_rsa )
- secure the PEM-file ( chmod 600 /home/user/.ssh/id_rsa )
- create a ssh-usable public key ( run ssh-keygen -y )
- insert the output ( ssh-rsa .... ) to .ssh/authorized_keys2 on every server you wish to use this key
Encryption Applications
Note: CAcert does not provide support for the following products; we only issue the certs!
Open-source multi-platform package: Cryptonit
Signing Documents
OpenOffice up from version 2.0 is able to sign documents. Please read the wiki for OpenOffice.
FAQ and Misc - Client Cert Troubleshooting
My IE is showing error code number "-2146885628" (or similar)
Nearly all error messages related to certificate installs are the result of people not having a matching private key, or for the cert logins, not being able to match a key/certificate valid for the CAs acceptable.
Basically people have reinstalled things on their computer, or are using a different browser and don't realize that we don't keep copies of private keys they can then later download along with the certificate from our website.
"Where is my private key? How do I use it on another computer?"
Your private key is generated by your browser, *IN* your browser when you request a new cert from CAcert. That way CAcert never has your private key in its possession. The implication for you is that you must be on the same machine using the same browser that you used to request the cert initially, when needing to access your private key. So don't forget if it was your "work" machine vs. your "home" machine.
Your keys are contained in something called the key "store". You may export public/private keypairs from your store to a file, and optionally (but highly recommended!) secure them with a passphrase. This is typically done by going into the "Manage Certificates" section of your browser (i.e., Firefox), and then performing a "Backup" of your key. This will create a file with with a .P12 or .PFX suffix.
You may then go into another application which uses client certificates (e.g., Thunderbird, IM, etc.,), and use "Manage Certificates" to "Import" the .P12 file previously created. After providing the correct passphrase, your public/private keypairs will now be available in the new application.
![/!\](/moin/rightsidebar/img/alert.png "/!\"){kind=small}
it is very interesting to generate a keypair and your CAcert cert on a smartcard. That's wise and a good way to protect your keys. But don't forget, you'll never be able to export the private key 
see CryptoHardware
Were is the PKCS12 file? - I only have the PEM file that says its for smartcard only
openssl pkcs12 -export -in cert.pem -inkey private.key -certfile /etc/ssl/certs/root.pem -name "Bob's CAcert" -out cert.p12
"Windows does not have enough information to verify this certificate"
[Q] I am using win2000 and outlook from office 2000. I installed my certificate using IE and went to outlook - options - security - settings to choose the cert that I installed. The trouble I'm having is that when I try to send a signed and encrypted E-mail, I get an error that the cert is not valid. When viewing the cert in outlook, it states that "windows does not have enough information to verify this certificate"
[A] It sounds like you might be missing the CAcert Root certificate and/or you have it, but have not "trusted" it yet. You can pick up a copy at: https://www.cacert.org/index.php?id=3
Once it is installed, check to see if it is trusted. That will hopefully solve the error you're getting with your personal cert.
[A] Each email address that you are sending too in outlook needs to have a public certificate assoicated with it. To get that certificate for the person you are trying to send an encrypted message to have them send a signed email to you.
When you recieve that email right click on the senders address (not the email itself). Select add to contacts. This will install the public certificate for you to use when sending emails. You can see that certificate by selecting the certificates tab on the top of your contact information.
If this person is already in your contact list then do the following:
Right click the senders address (not the email itself). Select add to contacts. Select the certificates tab. highlight the certificate and select export. Change the name to something you will recognize and select a location you will remember, enter a password and save. Close the new contact and do not save the changes (this removes the duplicate contact). Right click the senders address (by now you should recoginize the pattern) select lookup contact. select the certificates tab and import the certificate using the path, name and password you just entered. You should be able to send encrypted messages to that address now.
My cert is in the browser but not my email client - what now?
[Q] I tried to install my e-mail cert into Mozilla Thunderbird (the latest as of today) and somehow could not sign a message. Thunderbird tells me that I first have to set up my certificates (hey - I did that! and I verified that the cert is there, including the CA root) and if I want to learn how to do that - sure I say yes - the dialog goes away and nothing happens.
[A] You need to export the certificate and private key from your browser; just importing the certificate is only half the information needed to encrypt/sign emails. CAcert never gets (or even wants) a copy of your private key. (See topic 3.1 for more details)
How to enable Client Cert authentication in your Web-Applications
There is also a PHP example on the CAcert.org website including details on Apache configuration.
If you need a CA-Bundle for your webserver, you can get one, which has CAcert included here: http://www2.futureware.at/svn/sourcerer/CAcert/ca-bundle.zip
Unanswered question: How do I simply add CAcert to my existing ca-bundle? Answer: Get the CAcert root certificates (both Class1 and Class3), open them in a Text-Editor, and copy&paste them into the ca-bundle, for example at the end of the file.
For the following example, you have to set SSLVerify to "optional" or "required" in your Apache configuration. "required" forces the browser to show a certificate, and does not give access to the Vhost (or directory), unless the client presents a valid certificate. "optional" accepts certificates optionally, so the client can also access the vhost without a certificate. When you set SSLOptions to +CompatEnvVars +StdEnvVars then mod_ssl will put all interesting details into the environment variables, which are easily accessible from any programming language:
$ca="";
if($ENV{'SSL_CLIENT_VERIFY'} and $ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")
{
if($ENV{SSL_CLIENT_I_DN_OU} eq "http://www.cacert.org")
{
$ca="CAcert";
}
if($ca and $ENV{SSL_CLIENT_S_DN_Email})
{
$auth="email+clientzert";
$authuser=$ENV{SSL_CLIENT_S_DN_CN};
$authemail=$ENV{SSL_CLIENT_S_DN_Email};
print "Welcome $ENV{SSL_CLIENT_S_DN_CN} (<a href=\"mailto:$ENV{SSL_CLIENT_S_DN_Email}\">)!<br/>";
}
How can I use Client Certificates like SSH?
For your Apache configuration:
SSLOptions +ExportCertData +CompatEnvVars +StdEnvVars SSLVerify optional_no_ca
The application:
$ca="";
if($ENV{'SSL_CLIENT_VERIFY'} and $ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")
{
echo $ENV{SSL_CLIENT_KEY};
}