How to generate a new P12 formatted certificate with CAcert's browser application

The web application is located here. It can be used in any browser. The result is a file in the P12 (PFX) format, which can be imported into the same or other web browser or Windows OS.

The procedure is completely straightforward and is described directly in the application.

/!\ NOTE: The certificate & the corresponding private key, both created by this application, are packed into output P12 type file, and that is the only output from the application. /!\
/!\ Neither new private keys nor new certificates are written into the browser, where you run the application.

Detailed procedure

1. Generate CSR, private and public key

After start, the application start page will be shown. There is a resizeable CAcert logo, application name and the progress bar in the header.

First page of the app

Fill in your name - since it will be completed by the Cacert website, it can be basically any. Select the length of the keys - the power of encryption. The preset value is 3072. The value of 2048 is marked as most compatible but least safe. Press the blue "Generate..." button and wait for the keys to be generated; the progress can be viewed on the bar in the page header.

2. Transfer CSR to Cacert form

After generating, you can see this on the page:

CSR generated

The bar is blue and announces that a CSR is prepared to be submitted to the CAcert's signer. You can see the rest of the page by shifting the page down:

Private key; CSR to Clipboard

The red button will show the new private key, which you probably won't use. The following is a Base64 CSR listing and a blue button to get the CSR to the Clipboard, which will be useful in the next step.

Transfer the new certificate to the app

3. Issue the certificate

In the next text you can see a link to the Cacert Web. Use it, log in, go to the page "Client Certificates - New". Here, select email addresses for the certificate, and/or inserting your name to the certificate. Put the cursor in the large text box and insert the CSR from the clipboard using the Ctrl-V key combination. With the number of AP points > 49, you can also select code signing and/or SSO. Do not forget to check the confirmation of the CCA agreement. Press "Next".

The page New cert.

After the certificate is issued, the page where it is displayed will be shown. Select the whole range e.g. with the mouse, including the initial and final comments and use Ctrl-C to transfer it into the Clipboard.

Issued certificate

Do not use the links at the top of this page. It is useless, because:

  1. You have no way how to import the private key, except from a P12 formatted file, which you don't have ready yet.
  2. The P12 formatted file is the best backup of your new certificate & private key, thus there is no need to save the only certificate in other formats.

Now return to the application. There, put the cursor in the big text box below under the link to Cacert Web. Use Ctrl-V to insert the certificate from the clipboard to that text box.

4. Create a P12 formatted file containing the new certificate and the new private key

The application has both a certificate and a private key (which hasn't been sent anywhere) available now. It asks for a password for the security encryption of the private key. Create a password and enter it. You can see it by holding the mouse on the icon on the right. Then, press the blue "Prepare download" button.

Download the P12 file

5. P12 file download

Finally, the text appears that the P12 file is ready. You can download it now, and then import it into browsers, Windows OS, and/or other software. Press the green button "Download", name the file (preserving the suffix .p12) and save it.

6. Import a P12 file into a browser or operating system


You can import the P12 file (.p12 or .pfx extension):

  1. to the Windows OS using the MMC-Certificates utility,
  2. to Windows OS via the Certificate Manager in Edge, Chrome, Opera, Vivaldi, Brave (and other browsers using Windows certificate store),
  3. to the browser's own certificate store (Firefox, Basilisk, Seamonkey, Palemoon and others),
  4. to a custom store on Linux systems (Firefox, Chromium and other browsers used here).

How to open Certificate Manager for the most commonly used browsers:

Certificate Manager Firefox/Basilisk/Palemoon/Seamonkey

Správce certifikátů Firefox - Authorities

The CAcert root certificate can be found in the Authorities tab under "R" (Root CA). Use the highlighted button to check your machine's trust in the CAcert root certificate. In the next dialog, all options for "Root CA" - "CA Cert Signing Authority" must be checked.

Správce certifikátů Firefox - Your Certificates

Import the created keys and certificate from the P12 file on the "Your Certificates" tab by clicking the "Import..." button. Enter the name of the created P12 file and the password you set when creating the file. The Certificate Manager should report success and after pressing OK the imported certificate will appear in his window.

Chrome Certificate Manager

Certificate Manager in Chrome - Your Certificates, under Authorities

In the Chrome Certificate Manager on Linux, the "Your Certificates" tab just says "org-" and the name of the certificate. When expanded, you can then see the names of your certificates and view their contents, where you can only see which authority issued them. To add a new certificate from the P12 file, click the "Import" button. Again, you need to enter the private key password.

Certificate Manager in Chrome - Authorities

If you want to check the trust in a certification authority, you can find it on the Authorities tab. The name starts with org-Root CA, which can be expanded as indicated. The trust can then be edited by selecting "Edit" from the menu on the right (3 dots). Check all options if they are not already selected.

Windows certificate management available from browsers

Certificate Manager in Windows - Your Certificates

If you are running a browser on Windows, using the system storage, then you will see this window as the Certificate Manager window. It is actually part of the MMC-Certificates utility view of the system store. What is missing here is the left - tree - pane where we would see that these are the personal certificates of the current user. Here we can import the created P12 file using the highlighted button. This will launch the Certificate Import Wizard, where you select the P12 file (with the .p12 extension) to import.

The wizard will walk you through the entire import process. Once it is complete, you can check the imported certificate by opening it. At the bottom of the certificate window, you should see a key icon and the text "You have a private key that matches this certificate".

On the other hand, it is not necessary to check the trust to the CAcert root certificate (class 1), because it has to be confirmed when importing it into Windows.

Note: Using P12 files, it is possible to have a scenario where the CAcert root certificates are not yet installed on the device where you want to install the certificate and private key. You can also install these from the P12 file at the same time, but you must follow certain rules:

1. When importing with Windows as the target, you must leave the automatic storage selection in the Wizard so that the different parts of the P12 file fit into the correct storage locations.

2. When importing targeting a custom browser/Linux repository, you need to check/set the trust to the class 1 root certificate after importing.

TutorialsHowto/Generate-new-CSR (last edited 2024-05-23 08:51:46 by AlesKastner)