How to create a certificate with another browser (even if you get an error message from Firefox or Chrome)
Attention - 20230515
Since 20230515: No web browser (including Basilisk since ver. 2023.05.17/64-bit, SeaMonkey since ver. 2.53.15/64-bit, Palemoon since ver. 32.1.0/64-bit) creates usable Certificate Signing Request (CSR). Thus, the solution described in this article can no more be used. Please, use the new CAcert web app
Attention - 20210311
Today, 20210311 after upgrades, I have found that only the Seamonkey web browser is able to submit a correct CSR (certificate signing request) to a certificate issuing web. The OS used was Windows 10 last Insider version from 20210123. So it seems that the Palemoon and Basilisk browsers are unusable for getting certificates, so as the mainstream browsers.
20210316 - In Palemoon, it seems like a common bug; Palemoon & Basilisk also report an unknown error importing P12 files. A bug report & research was initiated.
20210318 - The Basilisk browser is repaired! After update to version 2021.03.17, both .p12 import and <keygen> are functional.
20210330 - Palemoon has been repaired (ver. 29.1.1)! Thus, all three browsers using the Keygen tag (Basilisk, Palemoon, Seamonkey) work since today.
I have not been able to generate client certificates for a week. Both in Firefox, Chrome and Internet Explorer...
- "We didn't get a valid certificate request. Please try another browser".
Is there any information on this?
The last time I successfully generated a certificate was in July 2019 with the then current Firefox. In the current version, which you probably also have, as well as in Chrome, the certificate generation doesn't work anymore, because the current browsers obviously don't support the <keygen>-HTML element used so far anymore.
I helped myself to install the Palemoon browser (a well maintained fork of the old Firefox) and did the certificate generation with it.
In my opinion, this is the easiest way to do this without playing around with OpenSSL and manually generating a key pair and a CSR. If you know how to do this, you can do it as well, you would have to open the advanced options during creation and insert the CSR there.
Palemoon, Basilisk, and Seamonkey are a Firefox clones; thus each has its own certificate store, but it doesn't copy certificates from the Firefox store automatically!
To open their Certificate managers:
- Palemoon: browser window - blue box at the top left - Preferences - Preferences - Advanced - View Certificates tab in the Preferences dialog box.
- Basilisk: Open menu with the upper right "hamburger" button - Preferences - Advanced - View Certificates tab in the Preferences dialog box.
- Seamonkey: browser window - from the Edit menu - Preferences - new dialog opens - Privacy and Security - Certificates - open Manage Certificates window.
The certificate window is very similar to that of Firefox.
First you need to install CAcert's roots into the Palemoon's, Basilisk's, or Seamonkey's certificate store. The shortest option is to go directly to http://www.cacert.org/index.php?id=3 (NOT https!) with Palemoon, Basilisk, or Seamonkey. First select a Class 1 PKI key, PEM format, check trust in all 3 checkboxes, then select a Class 3 PKI key, PEM format, no trust is needed (will be inherited) - and you have given trust to the CAcert certification authority: your further communications with CAcert sites will be performed in the https protocol.
If you want to sign in with your existing certificate, you must also import it from the .p12 or .pfx file in Certificate Manager - if you do not have it, you will have to log in with your username and password. After logging in, you can have the Palemoon or Seamonkey browser generate and apply for a new certificate request.
The background can be deepened in the CAcert bugs http://bugs.cacert.org/view.php?id=1417
(answers by ST, GT, translation by DL)