česky | english
How to create CAcert server certificate
A server certificate can be created by any user, who has registered at least one domain. Moreover, if he has at least 50 assurance points, then the validity period of his server certificate will be 24 months.
Using system facilities and system repository of Windows 10, you can create a server certificate using the Certificates module of MMC. Then you can submit it to sign with the CA of CAcert. A certificate for a web server will be created. You can export it, with the private key, into a PFX (P12) file, which can be then imported to a web server.
- Prepare the certificate module of MMC manage program to make the future certificate processing easier.
- Import two root certificates of CAcert.
- Create a Certificate Signing Request (CSR) following the "Web server" template.
- Submit the CSR to the CAcert CA, obtain the server certificate and store it into a CER or CRT file.
- Import the certificate to the "Personal" certificates of the local computer or a web server. Then it will link with the private key. You can use it in your web server IIS 8 or Apache.
- If you keep your web server on another host, you will need to export the certificate with the corresponding private key into a P12-type file with PFX extension. You can import it to a target web server into the operating system via the MMC certificate module or directly via the IIS-8.
If you haven't worked with the MMC certificate module yet, it will be suitable first to create it and save it for future easy start. It is better to manage both your personal certificates and computer certificates – although you will work here with the latter only.
Start the MMC managing console. From the "File" menu select "Add/remove snap-in...". Select the snap-in module "Certificates".
Select "My user account" in the next dialog. Although you will not use this part in these steps, it is suitable to include them for the possible client certificate management in the future.
From now on, you will deal with the computer certificates only.
Select "Certificates" again and "Add". Specify "Computer account" in the 2nd dialog this time.
Next, select the local computer and complete settings.
You can see the modules list here. Hit OK.
Save the prepared module (File, Save as...) under a suitable name. You may (possibly – if Microsoft will allow this again) run the module next time directly from the Administrative Tools.
CAcert root certificates installing is the straightforward process. Display "Certificates" under the node "Trusted root certification authorities". Open its menu by right clicking to the "Certificates" node in the left pane tree, then select "All tasks..." - "Import...".
Select the downloaded file named "root.cer" (format PEM, from http://www.cacert.org/index.php?id=3) and import it.
Similarly, import the root certificate class 3 into the "Certificates" under the node "Intermediate certificate authorities" from the file "class3.cer" downloaded in the PEM format from http://www.cacert.org/index.php?id=3.
The two pictures above show the states after the import.
Creating a Certificate Signing Request (CSR)
Select the "Certificates" node under the "Personal" node. Note that these certificates are "personal" for the local computer, not for you [you are dealing still in the "Certificates (local computer)" tree!].
Open the menu with the right click and follow the picture. You have to select "Create Custom Request..." to be able to select the web server template. A wizard will start. Skip the first informative page (Next).
You can set policies on the wizard's next page. Skip that page, too.
Select the "Web server" template on the next wizard's page. Hit "Next".
On the next page, open "Web server" and press the "Properties" button.
If the amount of your Assurance Points is 50 or more, you can get server certificates valid for 24 months. The CAcert CA's signing server will sign your CSR. It will also delete all information except the following you have to supply:
- the public key, which is generated by your computer together with the private key,
- the Common Name of the web server (host's FQDN - the DNS name it is known in Internet with; here CN=,
- alternative DNS name(s) (SAN), if desired; it should be at least one more DNS name equal to the name of your (server's) domain (see pictures) nowadays; CAcert checks the validity of the domain(s) in your account at CAcert web,
- the algorithm for key creating (select RSA),
- the length of keys (minimum 1024 bits, select recommended 4096 bits).
By pressing the "Properties" button you will display a dialog, where you can set the last four parameters (see above).
"Subject" tab: set the Common Name, and if desired, alternative DNS name(s); the first one must repeat the Common Name. You add them one by one into the list on the right side of the dialog.
Now you are finished with this tab. The Common Name of this example server is www.alkas.org and its alternative name equals to the domain alkas.org. This indeed means that the address <xy>.alkas.org defaults to the web server of the domain concerned, if the DNS record does not exist for that address. It is https://www.alkas.org or https://alkas.org in this particular case.
Continue with the General tab.
"General" tab: You need to fill the "Descriptive name" with the FQDN name of the web server once more.
The "Extensions" tab is pre-filled from the web server template, so you can skip it.
"Private key" tab: open the "Cryptographic service provider" and select RSA (recommended by CAcert).
Now open the tab "Key options", set the key length (at least 1024 bits; CAcert recommends 4096 bits), and set also export and archiving options for the private key.
Finally, press OK.
Continue with creating the CSR - continue the wizard.
Enter a path with filename, where the CSR will be saved. Select the file format. Base64 coding means the conversion of binary data to characters, therefore it is recommended, as you will need to copy it from the CSR file and paste it to the page of CAcert's web server. CSR will be saved into the file entered after pressing the "Finish" button.
CSR submitting and getting the certificate
Open the file with your CSR in Notepad. Select all the contents and copy it to the clipboard (Ctrl-C).
Login to your CAcert account and select "New" from the menu "Server certificates":
Paste the CSR contents (Ctrl-V) into the largest text box on the page. Enter the "CAcert" name into the box above; it will identify your new certificate in the list in your account only.
Don't miss to claim, that you agree with the CAcert Community Agreement, by checking the box below. Press the "Submit" button.
CAcert confirms names included in your certificate on the next web page (the orange frame). Press the "Submit" button.
The server certificate for your server have been created. It is Base64 coded; select and copy its data (Ctrl-C).
Create a new text file with Notepad, and insert the data (Ctrl-V). Save the file, then rename its suffix from TXT to CER or CRT.
Importing the certificate into the operating system
Return to the "Certificate" module of MMC. Import your new certificate from the file CER / CRT, adding it to "Certificates" under the node "Personal" (however the "personal" of the local computer).
Right click "Certificates" under the node "Personal", and select "All tasks - Import..."
The import wizard appears. Skip the initial page, select the file containing the new certificate, and import it into the operating system after pressing the "Next" button.
The system should report the successful import. After you confirm the message with OK, you will see the certificate imported. Note the icon of the new certificate - a golden key appears on its top left. This means that you have the private key belonging to this certificate (the certificate itself contains the corresponding public key).
Export or backup the server certificate
You may export a certificate with corresponding private key to a P12-formatted file with the PFX suffix. This way you can make backups, but you can also transfer a certificate with corresponding private key to your web server (hardware or virtual, with e.g. IIS, Apache), to serve for secure HTTPS.
Display the menu through right clicking on the certificate item. Select „All tasks“ - „Export“.
An export wizard appears. You will need to make an important decision on the second page. Selecting the private key export, you also select the output format P12 and the whole process of the export at the same time. Press the "Next" button.
The PKCS 12 (P12) formatted file with the PFX suffix is already pre-selected. You can add more useful options, as suggested (see the picture). „Include all certificates in the certification path...“ enables to import also root certificate(s) of the CA from the resulting file (CAcert in this case).
„Export all extended properties“ is set rather for to be sure. You surely don't wish to „Delete the private key if the export is successful“, as you need to keep the posibility for the certificate to work, if the computer, you have created the certificate (with the CSR) on, is NOT the web server itself.
Select and enter your password twice. (Groups and usernames belong to the concept of the Microsoft Active Directory [AD]). Continue with the "Next" button.
Enter the path and filename of P12-formatted file with the PFX suffix, where the certificate and the private key will be saved. After pressing "Next" button a summary will be displayed. Then (after hitting "Complete") the confirming dialog appears. Press OK.
You can import the certificate and the private key on a different computer (e.g. web server) by transferring the PFX file and importing from it.