How to create a certificate with another browser (even if you get an error message from Firefox or Chrome)

Attention - 20230515

/!\ Since 20230515: No web browser (including Basilisk since ver. 2023.05.17/64-bit, SeaMonkey since ver. 2.53.15/64-bit, Palemoon since ver. 32.1.0/64-bit) creates usable Certificate Signing Request (CSR). Thus, the solution described in this article can no more be used. Please, use the new CAcert web app /!\

Attention - 20210311

Today, 20210311 after upgrades, I have found that only the Seamonkey web browser is able to submit a correct CSR (certificate signing request) to a certificate issuing web. The OS used was Windows 10 last Insider version from 20210123. So it seems that the Palemoon and Basilisk browsers are unusable for getting certificates, so as the mainstream browsers.

20210316 - In Palemoon, it seems like a common bug; Palemoon & Basilisk also report an unknown error importing P12 files. A bug report & research was initiated.

20210318 - The Basilisk browser is repaired! After update to version 2021.03.17, both .p12 import and <keygen> are functional.

20210330 - Palemoon has been repaired (ver. 29.1.1)! Thus, all three browsers using the Keygen tag (Basilisk, Palemoon, Seamonkey) work since today.


I have not been able to generate client certificates for a week. Both in Firefox, Chrome and Internet Explorer...

Is there any information on this?


The last time I successfully generated a certificate was in July 2019 with the then current Firefox. In the current version, which you probably also have, as well as in Chrome, the certificate generation doesn't work anymore, because the current browsers obviously don't support the <keygen>-HTML element used so far anymore.

I helped myself to install the Palemoon browser (a well maintained fork of the old Firefox) and did the certificate generation with it.

You can also install similar browser Seamonkey, or Basilisk.

In my opinion, this is the easiest way to do this without playing around with OpenSSL and manually generating a key pair and a CSR. If you know how to do this, you can do it as well, you would have to open the advanced options during creation and insert the CSR there.

/!\ NOTE /!\

Palemoon, Basilisk, and Seamonkey are a Firefox clones; thus each has its own certificate store, but it doesn't copy certificates from the Firefox store automatically!

To open their Certificate managers:

The certificate window is very similar to that of Firefox.

First you need to install CAcert's roots into the Palemoon's, Basilisk's, or Seamonkey's certificate store. The shortest option is to go directly to (NOT https!) with Palemoon, Basilisk, or Seamonkey. First select a Class 1 PKI key, PEM format, check trust in all 3 checkboxes, then select a Class 3 PKI key, PEM format, no trust is needed (will be inherited) - and you have given trust to the CAcert certification authority: your further communications with CAcert sites will be performed in the https protocol.

If you want to sign in with your existing certificate, you must also import it from the .p12 or .pfx file in Certificate Manager - if you do not have it, you will have to log in with your username and password. After logging in, you can have the Palemoon or Seamonkey browser generate and apply for a new certificate request.

Basilisk Palemoon Seamonkey

More help

The alternatives with CSR are described in the Wiki, section "Create Certificates"

The background can be deepened in the CAcert bugs

(answers by ST, GT, translation by DL)

HowTo/ClientCertCreate4 (last edited 2023-05-22 17:54:29 by AlesKastner)