Skip to content

Client Authentication Certificates

A Note of Clarification:

There are two sorts of cryptographic certificates that are typically used with web-browsers, and their names are superficially similar, so just to avoid confusion:

Certificate Authority Certificates (the purpose of which is to authenticate a server to the user) should not be confused with Client Authentication Certificates (the purpose of which is to authenticate the user to the server).

This page is about Client Authentication Certificates.

A Brief Introduction to Client Authentication Certificates

Client Certificates are cryptographic keys that some websites use to authenticate users. The basic idea is that rather than users having to remember and enter a user ID and password combination to authenticate themselves, instead, a cryptographic key can be installed into their web-browser that uniquely identifies them.

The advantages of client athentication certificates are:

  • The user does not have to remember a user ID and password because their browser remembers the cryptographic keys (although passwords can optionally be used if the client keys are to be used on shared or public computers).

  • Client authentication certificates are more secure than passwords, because typical hacking techniques such as password guessing, or "phishing" for a user's password, don't work on them.

  • Client authentication certificates use reliable hard cryptography, so they are unbreakable by contemporary computers.

The disadvantage of cryptographic client authentication certificates is that they need to be installed into one's browser. Installing a client key is not difficult, although it is something that most computer users are not familiar with.

This page provides step-by-step tutorials describing how to install a client authentication certificate into the most commonly used browsers.

Installing a Client Authentication Certificate into your Browser

The process for installing a Client Authentication Certificate into your web-browser is basically the same regardless of which browser you are using:

The system administrator (of the website you are trying to connect to) will provide the actual key for you - it will be a small file usually with a .p12 extension. Sometimes the .p12 file may be protected by a password (your system administrator will tell you) and if there is a password then your browser will ask you for it, but if there is no password and yet your browser asks for one, then just leave the password field blank.

In most web-browsers you can open Preferences or Settings, and find a Privacy or Security option in there somewhere, and among the security settings there will be an option named something like Manage Certificates or View Certificates. Once inside the certificate management facility there will be a button allowing you to Import the .p12 file. The whole process isn't difficult, and if your web-broswer isn't listed below then you can probably figure-out how to install the certificate just by clicking around a bit.

The client authentication certificate acts like a key, enabling you to access a particular website. If you try to access the website without having the key installed, then you will receive an error message. But once you've imported the client authentication certificate into your browser you should be able to access the website. Your browser may flash a confirmation menu (as you first connect to the website) allowing you to select which key to use in order to unlock the webpage; if this happens then just select the key from the menu, and then you should then be able to access the webpage.

The steps listed above outlined the general process, below we provide detailed step-by-step instructions showing how to install a client authentication certificate into several popular web browsers:

Chrome

Here are step-by-step instructions for installing a Client Authentication Certificate into Google's Chrome web-browser.

Step 1

Start Chrome, and then open the menu at the top right corner and select Settings.

Chrome-1.png

Step 2

In the window that appears select Privacy and Security. This will bring up a list of options, select Security.

Chrome-2.png

Step 3

Scroll down to the Advanced section and select the Manage certificates option.

Chrome-3.png

Step 4

The Certificates window will appear. Be sure that the Personal tab is selected. Select Import.

Chrome-4.png

Step 5

Click Next.

Chrome-5.png

Step 6

Select Browse, and select the .p12 file (the certificate file).

Chrome-6.png

Step 7

You may be asked to enter the password for the .p12 certificate - if your system administrator did not give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty. Also, select Mark this key as exportable, and Include all extended properties. Click Next.

Chrome-7.png

FireFox

Here are step-by-step instructions for installing a Client Authentication Certificate into the Firefox web-browser.

Step 1

Start Firefox, and then open the menu at the top right corner and select Settings.

Firefox-1.png

Step 2

In the window that appears select Privacy & Security. This will bring up a list of options, scroll down and find the Certificates section. Select View Certificates.

Firefox-2.png

Step 3

The Certificate Manager window will appear. Be sure that the Your Certificates tab is selected. Select Import.

Firefox-3.png

Step 4

Find and open the .p12 file (the certificate file).

Firefox-4.png

Step 5

You may be asked to enter the password for the .p12 certificate - if your system administrator did not give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty. Click Ok.

Firefox-5.png

Microsoft Edge

Here are step-by-step instructions for installing a Client Authentication Certificate into the Microsoft Edge web-browser.

Step 1

Open Microsoft Edge, and then open the menu at the top right corner and select Settings.

Microsoft-Edge-1.jpg

Step 2

Select Privacy, search and services, and the choose Manage certificates as shown below.

Microsoft-Edge-2.jpg

Step 3

Click Import to start the Certificate Import Wizard.

Microsoft-Edge-3.jpg

Step 4

Click Next, to continue.

Microsoft-Edge-4.jpg

Step 5

Browse to your downloaded Certificate .P12 file and then click Next.

Microsoft-Edge-5.jpg

Note: When browsing to your PFX file, make sure the file type in the bottom-right of the browse window is changed to Personal Information Exchange, otherwise it will not find your file.

Step 6

You may be asked to enter the password for the .p12 certificate - if your system administrator did not give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty. Also, select Mark this key as exportable, and Include all extended properties. Click Next.

Microsoft-Edge-6.jpg

Step 7

Let the Certificate Import Wizard determine the best place for the installation. Click Next.

Microsoft-Edge-7.jpg

Note: In some instances, the Certificate may not install under Personal. If this is the case, then manually select the second option when rerunning the installation.

Step 8

Click Next. Then, click Finish.

Microsoft-Edge-8.jpg

The Certificate is now installed and will be used for secure client authentication.

Step 9

Microsoft-Edge-9.jpg

Safari

Many common web browsers, such as Firefox or Chrome, remember cryptographic keys and Certificates by storing them in an internal “key store”. Safari on Mac OSX presents a slightly different situation than the other browsers described above, because macs have a centralised key-store provided by the operating system. So the process of installing a client certificate for use in Safari, amounts to importing the .p12 certificate file into the KeyChain Access tool, rather than directly into the browser. The other browsers such as Firefox or Chrome can optionally use the Mac key store too (when they are running on OSX), but Safari must store its keys and certificates in the KeyChain key store.

NOTE: There is a minor bug in the way that Safari applies client certificates to websites, but there is a work-around for the bug that is described below (starting in Step 10). To get things working smoothly you must follow all of the steps listed below.

To install a Client Authentication Certificate into the Mac OSX key store, so it can be used by Apple's Safari web-browser, we use the Keychain Access utility:

Step 1

Save the Client Authentication Certificate somewhere on your Mac, it is a file with a .p12 extension.

Safari-01.png

Step 2

Double-click on the Client Authentication Certificate file to open it, and you will be asked for the certificate’s password. Enter the password that your system administrator gave you when they gave you the .p12 certificate file.

Safari-02.png

NOTE: If you are unable to open the .p12 file by double-clicking on it (if the KeyChain Access application doesn't automatically start when you double-click the .p12 file) then you can import the certificate manually by following these instructions.

Step 3

The Keychain Access application should open, and the certificate should appear in the login keychain, under My Certificates. Note that you may have to click on login and My Certificates in order to find the key you just added to the key store.

Safari-03.png

NOTE: Just leave the Keychain Access app running for now.

Step 4

Next, start Safari.

Safari-04.png

Step 5

The point of installing the certificate is to allow you to access a certain website. Use Safari to go to that website now. You can either follow the link provided by your system administrator, or type the URL of the website into Safari’s Address Bar and press Enter.

Safari-05.png

Step 6

You may be asked to enter your password (or maybe not – don’t worry if you aren’t asked to sign in).

NOTE: The password that Safari is asking for, the "privateKey" password, is the same password you use to login to you Mac.

Enter the password you use to log yourself into your Mac and then click the Always Allow button. (If you click Allow rather than Always Allow, then Safari may pester you to keep signing in over and over again.)

Safari-06.png

Step 7

If everything has gone well then Safari will confirm that you want to use the new Client Authentication Certificate that you just installed, just click Continue:

Safari-07.png

Step 8

You may be asked a second or third time whether you want to use the Certificate. Just keep on clicking Continue until Safari stops asking (this may take a bit).

Safari-07.png

Step 9

Close Safari.

IMPORTANT: Don’t just close Safari’s window (leaving it running in the background), actually use the File menu and select Quit Safari to ensure that Safari is no longer running:

Safari-09.png

Step 10

By now everything should be working! However, there is a bug in Safari which means that it’s going to keep asking you to confirm the certificate every time you go to a new location within the website, which can quickly get very annoying.

Just to be clear – every time you first open the website in Safari, you will be asked to confirm the certificate, which is fine, but with a little tweak you should be able to dramatically reduce the number of additional times that Safari subsequently pesters you regarding the certificate.

Switch back to the Keychain Access application (it should still be running because we left it running after Step 3.

In Keychain Access, click on All Items:

Safari-10A.png

Search for an item or two that are called identity preference items, as displayed in the Kind column:

Safari-10B.png

Here’s a close-up:

Safari-10C.png

The two records that you are looking for are named:

http://your.website.com (com.apple.Safari), and,
https://your.website.com (com.apple.Safari)

NOTE: The difference between these two records is the protocol name, HTTP versus HTTPS (note the presence or absence of the S). Both records may appear, but if only the HTTPS record is there then that’s fine, don’t worry if the HTTP record is missing.

Step 11

Double click on the identity preference record named:
https://your.website.com (com.apple.Safari),
and a dialog box like this should appear:

Safari-11.png

Step 12

Insert one slash character, “/”, right at the end of the URL in both the Name and Where fields, like this:

Safari-12A.png

The spacing has to be exactly like this, here’s a close-up:

Safari-12B.png

Click “Save Changes”.

Step 13

Make the same change to the HTTP identity preference record, if it exists. Don’t worry about it if that record isn’t there.

Step 14

Close the Keychain Access app.

Safari-14.png

That is it! You are done!

Ongoing Problems with Safari?

Hopefully you can now open your.website.com in Safari, and it will confirm once that you wish to use the certificate, after which it will behave just like any other website.

It’s a shame about the bug in Safari whereby the identity preference records that it automatically creates don’t include the necessary slash, but at least Step 12 gets things working. If Safari continues to excessively hound you to confirm the certificate as you surf around your website, then double check that you added the slash in the correct spot, right at the end of the URL your.website.com/ with no space before it, and with a single space after the slash before the words (com.apple.safari), in those “identity preference” records in the Keychain.

If you keep being hounded to sign in with a dialog that looks like the one in Step 6, then remember to click on Always Allow.

Attributions

Some of the contents of this page were aquired, with thanks, from the following online information sources, under Fair Use provisions:

Author

Questions, comments, and suggestions may be directed to the author of this article, at: