Contrary to StartSSL’s FAQ, it is now possible for authenticated users to submit certificate requests (CSRs) for client (S/MIME) certificates. However, certificates are issued in PEM format, while most browsers and mail clients prefer PKCS#12 format. This article describes steps to create private key and corresponding certificate request, as well as how to create PKCS#12 file after obtaining signed client certificate.

First, we will use openssl utility on our local *NIX box to create password-protected private key, remove password protection, and generate certificate request:

openssl genrsa -aes256 -out 4096
openssl rsa -in -out
openssl req -new -key -out

We will now click through StartSSL’s intuitive Certificates Wizard up to the point where we are provided with download link for zip file which contains our signed client certificate, as well as StartSSL’s client CA used to sign it, both in PEM format. We need to extract these into folder which holds our private key.

Once we have all the components, private key, signed public key, and signing CA, creation of PKCS#12 file is as easy as combining the three PEM certificates into one in any particular order, and feeding combined file to openssl’s pkcs12 file utility:

cat 1_Intermediate.crt >
openssl pkcs12 -export -in -name -out

We can now import our PKCS#12 file into browser or e-mail client for authentication or encryption purposes.

Next Post Previous Post