Contrary to StartSSL’s FAQ, it is now possible for authenticated users to submit certificate requests (CSRs) for client (S/MIME) certificates. However, certificates are issued in PEM format, while most browsers and mail clients prefer PKCS#12 format. This article describes steps to create private key and corresponding certificate request, as well as how to create PKCS#12 file after obtaining signed client certificate.
First, we will use openssl utility on our local *NIX box to create password-protected private key, remove password protection, and generate certificate request:
openssl genrsa -aes256 -out email@example.com 4096 openssl rsa -in firstname.lastname@example.org -out email@example.com openssl req -new -key firstname.lastname@example.org -out email@example.com
We will now click through StartSSL’s intuitive Certificates Wizard up to the point where we are provided with download link for zip file which contains our signed client certificate, as well as StartSSL’s client CA used to sign it, both in PEM format. We need to extract these into folder which holds our private key.
Once we have all the components, private key, signed public key, and signing CA, creation of PKCS#12 file is as easy as combining the three PEM certificates into one in any particular order, and feeding combined file to openssl’s pkcs12 file utility:
cat firstname.lastname@example.org 1_Intermediate.crt email@example.com > firstname.lastname@example.org openssl pkcs12 -export -in email@example.com -name firstname.lastname@example.org -out email@example.com
We can now import our PKCS#12 file into browser or e-mail client for authentication or encryption purposes.