Contrary to StartSSL’s FAQ, it is now possible for authenticated users to submit certificate requests (CSRs) for client (S/MIME) certificates. However, certificates are issued in PEM format, while most browsers and mail clients prefer PKCS#12 format. This article describes steps to create private key and corresponding certificate request, as well as how to create PKCS#12 file after obtaining signed client certificate.

First, we will use openssl utility on our local *NIX box to create password-protected private key, remove password protection, and generate certificate request:

openssl genrsa -aes256 -out crash.bandicoot@mimar.rs.key.secure 4096
openssl rsa -in crash.bandicoot@mimar.rs.key.secure -out crash.bandicoot@mimar.rs.key.unsecure
openssl req -new -key crash.bandicoot@mimar.rs.key.secure -out crash.bandicoot@mimar.rs.csr

We will now click through StartSSL’s intuitive Certificates Wizard up to the point where we are provided with download link for zip file which contains our signed client certificate, as well as StartSSL’s client CA used to sign it, both in PEM format. We need to extract these into folder which holds our private key.

Once we have all the components, private key, signed public key, and signing CA, creation of PKCS#12 file is as easy as combining the three PEM certificates into one in any particular order, and feeding combined file to openssl’s pkcs12 file utility:

cat crash.bandicoot@mimar.rs.key.unsecure 1_Intermediate.crt 2_crash.bandicoot@mimar.rs.crt > crash.bandicoot@mimar.rs.combined
openssl pkcs12 -export -in crash.bandicoot@mimar.rs.combined -name crash.bandicoot@mimar.rs -out crash.bandicoot@mimar.rs.p12

We can now import our PKCS#12 file into browser or e-mail client for authentication or encryption purposes.

Next Post Previous Post