#language en ## Information for translators: ## Copy this code and translate the text. ## This way, you have all the links to the pictures. ## 20240531 AK ---- [[CAcert_Client_Certificate-Step-by-Step/cz|česky]] | [[CAcert_Client_Certificate-Step-by-Step/de|deutsch]] | '''english''' | [[CAcert_Client_Certificate-Step-by-Step/fr|français]] | [[CAcert_Client_Certificate-Step-by-Step/nl|nederlands]] | [[CAcert_Client_Certificate-Step-by-Step/pt|portugês]] ---- == CAcert Client Certificate – Step by Step Guide == This document instructs to request a certificate and prepare it to get a PKCS#12 file. [[attachment:CAcert Client Certificate.pdf|Download as PDF document]] ''In this document I used the CAcert production system.'' <> === Prerequisites === Imported and trusted “CAcert Public Root Certificate” in the Web-Browser. Installed certificate manager XCA http://sourceforge.net/projects/xca/ Activated account at https://secure.cacert.org == Preparation == || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture1.PNG|Start XCA|width=600,align="right"}} Start XCA     || || At the “File” menu use “New !DataBase” to create a certificate database and save it to a file. Don’t lose your password to the new database! Or open an existing database from your filesystem. || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture16.PNG|Go into tab “Certificates”|width=600,align="right"}} Go into tab “Certificates”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture17.PNG|Use “Import” to allow XCA to recognize certificates of CAcert|width=600,align="right"}} Use “Import” to allow XCA to recognize certificates of CAcert.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture18.PNG|Import the “CAcert Public Root Certificates” “root” and “class3” in this order|width=600,align="right"}} Import the “CAcert Public Root Certificates” “root” and “class3” in this order.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture30.PNG|Trust the imported “CAcert Public Root Certificates” in the Context Menu with “Trust”|width=600,align="right"}} Trust the imported “CAcert Public Root Certificates” in the Context Menu with “Trust”.     || == Private Key == || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture2.PNG|Go into tabs “Private Keys”|width=600,align="right"}} Go into tabs “Private Keys”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture3.PNG|Use “New Key” for a new Private Key|width=600,align="right"}} Use “New Key” for a new Private Key.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture4.PNG|Choose a name for the new key with e.g. the intended purpose included. This name is for your reference only|width=600,align="right"}} Choose a name for the new key with e.g. the intended purpose included. This name is for your reference only.     || || Use a speaking name of the Key with the planned purpose, that you can identify the Key for reuse of this purpose. Furthermore you need to select the type and strength (size) of the key that should be generated. Currently RSA with 4096 bit is fine. || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture5.PNG|The new Private Key is ready and…|width=600,align="right"}} The new Private Key is ready and…     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture6.PNG|…appears in your list of private Keys|width=600,align="right"}} …appears in your list of private Keys.     || == Certificate Signing Request – CSR == || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture7.PNG|For the next step go into tab “Certificate signing requests”|width=600,align="right"}} For the next step go into tab “Certificate signing requests”     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture8.PNG|Use “New Request” to create a CSR|width=600,align="right"}} Use “New Request” to create a CSR.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture9.PNG||width=600,align="right"}} Select a certificate template first and apply it, then choose the signature algorithm.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture10.PNG||width=600,align="right"}} Go into tab “Subject”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture12.PNG||width=600,align="right"}} Select the Private Key to use, Insert the „Internal Name“ and the „emailAddress“.     || || In the bottom of the dialog you can choose to select one of the existing private keys or create a new one in case you forgot to create one before starting the CSR creation. || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture31.PNG||width=600,align="right"}} As option, you can include Aliases into the field “X509v3 Subject Alternative Name”. Create the CSR with “OK”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture13.PNG|The CSR is ready|width=600,align="right"}} The CSR is ready.     || == Signing Process == || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture14.PNG||width=600,align="right"}} Select the new CSR and “Export”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture15.PNG||width=600,align="right"}} Save the CSR to file in pem Format but with extension .csr     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture19.PNG||width=600,align="right"}} Open the CSR in an editor, select ALL and copy the content.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture20.gif||width=600,align="right"}} Open Website [[https://www.cacert.org|cacert.org]] and login into your account. Go into “Client Certificates” and “New”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture21.gif||width=600,align="right"}} Insert the CSR into the text area.     || || Select the email-addresses and your name to include. If presented, choose the signing certificate (only for community members with 50 AP or more) that you want your certificate signed with. Preferably you should use the class 3 certificate option here. Enter a comment for the certificate for future identification. “Next” || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture22.gif||width=600,align="right"}} As result the new certificate will be displayed in the browser. Use the link “Download the certificate in PEM format” to save the certificate in the pem Format. As an alternative you can select the Base64 text format of the new certificate below including the BEGIN/END CERTIFICATE lines for direct import using "Import (PEM)" in XCA.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture23.gif||width=600,align="right"}} See the certificate in “Client Certificates” and “View”.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture24.PNG||width=600,align="right"}} Use “Import” in XCA to import the certificate result from the CA.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture25.PNG||width=600,align="right"}} Import was successful.     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture23.gif||width=600,align="right"}} The certificate is listed below the signer certificate you choose earlier.     || == Export PKCS#12 File == || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture27.PNG||width=600,align="right"}} Select your new certificate and use “Export”     || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture28.PNG||width=600,align="right"}} Save your certificate export as PKCS#12 and      || || {{https://wiki.cacert.org/CAcert_Client_Certificate-Step-by-Step?action=AttachFile&do=get&target=Capture29.PNG||width=600,align="right"}} …define a Password to protect your private-key from unauthorized use. This password will be asked from you when importing this file into your browser or mail client.     || You have created a certificate in the PKCS#12 Format for the import into browser, email client, OS … Congratulations! ---- . CategorySoftware