Managing Client Certificates | DigiCert.com (2024)

Taking Care of Your Client Certificate

After generating a Client Certificate as the second factor for your authentication process, we recommend that you back it up. Once you've backed up (exported) your Client Certificate, you can do the following things with it, if needed:

Import it into other Certificate Stores so that you can use multiple browsers to log into your DigiCert account.
Transfer it to another computer should you get a new one. Then, you can install it in the necessary Certificate Stores on your new computer.

The instructions on this page explain how to verify Client Certificate installation, back up/export your Client Certificate, and import your Client Certificate. The instructions are divided into two sections: Windows and Mac.

Windows Certificate Management Instructions

(Windows) Verifying that Your Client Certificate Is Installed

After you generate your Client Certificate, we recommend that you open up the browser(s) that you intend to use to log into the DigiCert account and verify that the certificate is installed in the appropriate Certificate Store.

If you have not yet generated your Client Certificate, see
Generating Your Client Certificate.
If you discover that your Client Certificate is not installed, see
(Windows) Backing Up (Exporting) Your Client Certificate or
(Windows) Importing Your Client Certificate into a Certificate Store

How to Verify that Your Client Certificate Is Installed

Internet Explorer
Chrome
Firefox

Internet Explorer: Verifying that Your Client Certificate Is Installed

In Internet Explorer, go to Internet Options.
In the Internet Options window, on the Content tab, click Certificates.
In the Certificates window, on the Personal tab, you should see your Client Certificate.
If the certificate is the Windows Certificate Store, you should be able to use Internet Explorer or Chrome to log into your DigiCert account.

Chrome: Verifying that Your Client Certificate Is Installed

In Chrome, go to Settings.
On the Settings page, below Default browser, click Show advanced settings.
Under HTTPS/SSL, click Manage certificates.
In the Certificates window, on the Personal tab, you should see your Client Certificate.
If the certificate is the Windows Certificate Store, you should be able to use Chrome or Internet Explorer to log into your DigiCert account.

Firefox: Verifying that Your Client Certificate Is Installed

In Firefox, go to Options.
In the Options window, click Advanced, next, click the Certificates tab, and then, click View Certificates.
In the Certificate Manager window, on the Your Certificates tab, you should see your Client Certificate, if your certificate was installed in the Firefox Certificate Store.

(Windows) Backing Up/Exporting Your Client Certificate

After you generate and install your Client Certificate, we recommend that you back it up. The backup copy saves you from needing to generate a new certificate should you transfer to a new computer.

The backup copy also allows you to import your certificate into a Certificate Store should you want to use a different browser to log into your DigiCert account. Client Certificates may be limited to a specific browser(s).

Windows installs the Client Certificate in its own Certificate Store and can be shared by Chrome and Internet Explorer.
Mac installs the Client Certificate in its own Certificate Store and can be shared by the keychain for Safari and Chrome.
Firefox installs the Client Certificate in its own Certificate Store and can only be accessed by Firefox (Windows or Mac).

After you have exported your Client Certificate w/private key, you can import the certificate into other Certificate Stores so that you can log into your DigiCert account using another browser. See (Windows) Importing Your Client Certificate into a Certificate Store.

How to Back Up (Export) Your Client Certificate

Internet Explorer
Chrome
Firefox

Internet Explorer: Backing Up (Exporting) Your Client Certificate

In Internet Explorer, go to Internet Options.
In the Internet Options window, on the Content tab, click Certificates.
In the Certificates window, on the Personal tab, select your Client Certificate and click Export.
In the Certificate Export Wizard, on the Welcome page, click Next.
On the Export Private Key page, select Yes, export private key and then, click Next.
On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX), check Include all certificates in the certification path if possible, and then, click Next.
On the Security page, check Password.
In the Password and Confirm password boxes, type your password, and then click Next.
On the File to Export page, click Browse, locate where you want to save the Client Certificate (w/private key) .pfx file, provide a file name (i.e. myClientCert), click Save, and then, click Next.
Make sure to save the .pfx file in a location that you will remember.
On the Completing the Certificate Export Wizard page, review the settings and then, click Finish.
When you receive “The export was successful” message, click OK.
Your Client Certificate w/private key has now been backed up (exported) as a .pfx file.

Chrome: Backing Up (Exporting) Your Client Certificate

In Chrome, go to Settings.
On the Settings page, below Default browser, click Show advanced settings.
Under HTTPS/SSL, click Manage certificates.
In the Certificates window, on the Personal tab, select your Client Certificate and click Export.
In the Certificate Export Wizard, on the Welcome page, click Next.
On the Export Private Key page, select Yes, export private key and then, click Next.
On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX), check Include all certificates in the certification path if possible, and then, click Next.
On the Security page, check Password.
In the Password and Confirm password boxes, type your password, and then click Next.
On the File to Export page, click Browse, locate where you want to save the Client Certificate (w/private key) .pfx file, provide a file name (i.e. myClientCert), click Save, and then, click Next.
Make sure to save the .pfx file in a location that you will remember.
On the Completing the Certificate Export Wizard page, review the settings and then, click Finish.
When you receive “The export was successful” message, click OK.
Your Client Certificate w/private key has now been backed up (exported) as a .pfx file.

Firefox: Backing Up (Exporting) Your Client Certificate

In Firefox, go to Options.
In the Options window, click Advanced, next, click the Certificates tab, and then, click View Certificates.
In the Certificate Manage window, on the Your Certificates tab, select your Client Certificate and click Backup.
See Also
How do you get Chrome to accept a self-signed certificate?Set up an HTTPS certificate authority How to View SSL Certificate Details on Chrome 56?
In the File Name to Backup window, go to where you want to save the Client Certificate (w/private key) .p12 file, provide a file name (i.e. myClientCertificate), and then click Save.
Make sure to save the .p12 file in a location that you will remember.
Note:A .p12 file uses the same format as a .pfx file. If you want, you can change the extension to .pfx and resave the file as a .pfx file if needed.
In the Choose a Certificate Backup Password window, create a Certificate backup password and then, click OK.
When you receive the “Successfully backed up your security certificate(s) and private key(s)” message, click OK.
Your Client Certificate w/private key has now been backed up as a .p12 file.

(Windows) Importing Your Client Certificate into a Certificate Store

If you transferred to a new computer, or you want to use a different browser to log into your DigiCert account, you need to import your Client Certificate into the appropriate Certificate Store.

If you have not yet exported your Client Certificate, see (Windows) Backing Up (Exporting) Your Client Certificate.

After you have exported your Client Certificate w/private key, you can import the certificate into the appropriate Certificate Stores so that you can log into your DigiCert account from your new computer or using another browser.

How to Import Your Client Certificate

Internet Explorer
Chrome
Firefox

Internet Explorer: Importing Your Client Certificate

In Internet Explorer, go to Internet Options.
In the Internet Options window, on the Content tab, click Certificates.
In the Certificates window, on the Personal tab, click Import.
In the Certificate Import Wizard, on the Welcome page, click Next.
On the File to Import page, click Browse.
In the File Explorer Open window, in the file type drop-down list, select Personal Information Exchange (*.pfx;*.p12).
Locate and select your Client Certificate .pfx or .p12 file, and then click Open.
On the File to Import page, click Next.
On the Private key protection page, check Mark this key as exportable and Include all extended properties.
The Mark this key as exportable option enables you to export your Client Certificate w/private key should you need to in the future.
In the Password box, type the password that you created when you exported your Client Certificate w/private key and then, click Next.
On the Certificate Store page, click Automatically select the certificate store based on the type of the certificate and then, click Next.
We recommend that you use this option so that intermediate and root certificates in the .pfx or .p12 file are placed in the appropriate Certificate Store.
On the Completing the Certificate Import Wizard page, review the settings and then, click Finish.
When you receive “The import was successful” message, click OK.
Your Client Certificate w/private key is now imported in to the Windows Certificate store, and you can use Internet Explorer and Chrome to log into your DigiCert account.

Chrome: Importing Your Client Certificate

In Chrome, go to Settings.
On the Settings page, below Default browser, click Show advanced settings.
Under HTTPS/SSL, click Manage certificates.
In the Certificates window, on the Personal tab, click Import.
In the Certificate Import Wizard, on the Welcome page, click Next.
On the File to Import page, click Browse.
In the File Explorer Open window, in the file type drop-down list, select Personal Information Exchange (*.pfx;*.p12).
Locate and select your Client Certificate .pfx or .p12 file, and then click Open.
On the File to Import page, click Next.
On the Private key protection page, check Mark this key as exportable and Include all extended properties.
The Mark this key as exportable option enables you to export your Client Certificate w/private key should you need to in the future.
In the Password box, type the password that you created when you exported your Client Certificate w/private key and then, click Next.
On the Certificate Store page, click Automatically select the certificate store based on the type of the certificate and then, click Next.
We recommend that you use this option so that intermediate and root certificates in the .pfx or .p12 file are placed in the appropriate Certificate Store.
On the Completing the Certificate Import Wizard page, review the settings and then, click Finish.
When you receive “The import was successful” message, click OK.
Your Client Certificate w/private key is now imported in to the Windows Certificate store, and you can use Chrome and Internet Explorer to log into your DigiCert account.

Firefox: Importing Your Client Certificate

In Firefox, go to Options.
In the Options window, click Advanced, next, click the Certificates tab, and then, click View Certificates.
In the Certificate Manage window, on the Your Certificates tab, click Import.
In the Certificate File to Import window, in the file type drop-down list, select PKCS12 Files (*.pfx;*.p12).
Then, navigate to your Client Certificate .pfx or .p12 file, and then click Open.
In the Password Entry Dialog window, in the Password box, type the password that you created when you exported your Client Certificate w/private key and then, click OK.
When you receive the “Successfully restored your security certificate(s) and private key(s)” message, click OK.
Your Client Certificate w/private key is now imported in the Firefox Certificate Store, and you can use Firefox to log into your DigiCert account.

Mac Certificate Management Instructions

(Mac) Verifying that Your Client Certificate Is Installed

After you generate your Client Certificate, we recommend that you open up your keychain or browser(s) that you intend to use and verify that the Certificate is installed in the appropriate keychain or Certificate Store.

If you have not yet generated your Client Certificate, see
Generating Your Client Certificate.
If you discover that your Client Certificate is not installed, see
(Mac) Backing Up (Exporting) Your Client Certificate or
(Mac) Importing Your Client Certificate

How to Verify that Your Client Certificate Is Installed

Safari
Chrome
Firefox

Safari: Verifying that Your Client Certificate Is Installed

Open Keychain Access.
In the Finder window, under Favorites, click Applications, click Utilities, and then click Keychain Access.
In the Keychain Access window, under Keychains, click login, under Category, click Certificates, and you should see your Client Certificate, if your certificate was installed in your keychain.
If the certificate is in the Keychain, you should be able to use Safari or Chrome to log into your DigiCert account.
If you receive the “This certificate was signed by an unknown authority” warning message, do one of following things:
- Ignore the message.
  The reason that you are receiving this message is because the Intermediate Certificate was not included in the Certificate Chain.
  The certificate was signed by DigiCert, and this message will not prevent you from logging into your DigiCert account.
- Remove the message.
  If you want to remove the warning message, all you need to do is install the Intermediate Certificate, as follows:
  How to Install the DigiCert Intermediate Certificate
  1. Open your Client Certificate.
    Right-click your certificate and in the list of options, click Get Info.
  2. In your “Client Certificate” window, expand Details.
  3. In the Extension Certificate Authority Information Access section, under Method #2 CA Issuers, to the right of URI, click the Intermediate Certificate link.
  4. After Safari downloads the Intermediate Certificate, double-click the certificate to open it and install it in your login keychain.
  5. Close the Intermediate Certificate.
  6. In your login keychain, where the warning message was located, you should now see the “This certificate is valid” message.

Chrome: Verifying that Your Client Certificate Is Installed

In Chrome, go to Settings.
On the Settings page, below Default browser, click Show advanced settings.
Under HTTPS/SSL, click Manage certificates.
In the Keychain Access window, under Keychains, click login, under Category, click Certificates, and you should see your Client Certificate, if your certificate was installed in your keychain.
If the certificate is the Keychain, you should be able to use Chrome or Safari to log into your DigiCert account.
If you receive the “This certificate was signed by an unknown authority” warning message, do one of following things:
- Ignore the message.
  The reason that you are receiving this message is because the Intermediate Certificate was not included in the Certificate Chain.
  The certificate was signed by DigiCert, and this message will not prevent you from logging into your DigiCert account.
- Remove the message.
  If you want to remove the warning message, all you need to do is install the Intermediate Certificate, as follows:
  How to Install the DigiCert Intermediate Certificate
  1. Open your Client Certificate.
    Right-click your certificate and in the list of options, click Get Info.
  2. In your “Client Certificate” window, expand Details.
  3. In the Extension Certificate Authority Information Access section, under Method #2 CA Issuers, to the right of URI, click the Intermediate Certificate link.
  4. After Safari downloads the Intermediate Certificate, double-click the certificate to open it and install it in your login keychain.
  5. Close the Intermediate Certificate.
  6. In your login keychain, where the warning message was located, you should now see the “This certificate is valid” message.

Firefox: Verifying that Your Client Certificate Is Installed

In Firefox, go to Preferences.
In the Preferences window, click Advanced, click the Certificates, and then click View Certificates.
In the Certificate Manager window, click Your Certificates, and you should see your Client Certificate if your certificate is installed in the Firefox Certificate Store.

(Mac) Backing Up/Exporting Your Client Certificate

After you generate and install your Client Certificate, we recommend that you back it up. The backup copy saves you from needing to generate a new certificate should you transfer to a new computer.

The backup copy also allows you to import your certificate into a Keychain or Certificate Store should you want to use a different browser to log into your DigiCert account. Client Certificates may be limited to a specific browser(s).

Mac installs the Client Certificate in its own Certificate Store and can be shared by the keychain for Safari and Chrome.
Firefox installs the Client Certificate in its own Certificate Store and can only be accessed by Firefox (Windows or Mac).
Windows installs the Client Certificate in its own Certificate Store and can be shared by Chrome and Internet Explorer.

After you have exported your Client Certificate w/private key, you can import the certificate into a Keychain or other Certificate Stores so that you can log into your DigiCert account using another browsers. See (Mac) Importing Your Client Certificate.

How to Back Up (Export) Your Client Certificate

Safari
Chrome
Firefox

Safari: Backing Up (Exporting) Your Client Certificate

Open Keychain Access.
In the Finder window, under Favorites, click Applications, click Utilities, and then click Keychain Access.
In the Keychain Access window, under Keychains, click login, under Category, click Certificates, and then, select your Client Certificate.
In the Keychain Access toolbar, click File > Export Items.
In the “Export” window, do the following:
1. In the File Format drop-down list select Personal information Exchange (.p12).
  Note: A .p12 file uses the same format as a .pfx file.
2. In the Save As box, go to where you want to save the Client Certificate (w/private key) .p12 file.
  Make sure to save the .p12 file in a location that you will remember.
3. Name the certificate .p12 file (i.e. myClientCertificate) and click Save.
In the “Password” window, in the Password and Verify boxes, create and verify your password and then, click OK.
Your Client Certificate w/private key has now been backed up (exported) as a .p12 file.

Chrome: Backing Up (Exporting) Your Client Certificate

In Chrome, go to Settings.
On the Settings page, below Default browser, click Show advanced settings.
Under HTTPS/SSL, click Manage certificates.
In the Keychain Access window, under Keychains, click login, under Category, click Certificates, and then, select your Client Certificate.
In the Keychain Access toolbar, click File > Export Items.
In the “Export” window, do the following:
1. In the File Format drop-down list select Personal information Exchange (.p12).
  Note: A .p12 file uses the same format as a .pfx file.
2. In the Save As box, go to where you want to save the Client Certificate (w/private key) .p12 file.
  Make sure to save the .p12 file in a location that you will remember.
3. Name the certificate .p12 file (i.e. myClientCertificate) and click Save.
In the “Password” window, in the Password and Verify boxes, create and verify your password and then, click OK.
Your Client Certificate w/private key has now been backed up (exported) as a .p12 file.

Firefox: Backing Up (Exporting) Your Client Certificate

In Firefox, go to Preferences.
In the Preferences window, click Advanced, click the Certificates, and then click View Certificates.
In the Certificate Manage window, click Your Certificates, select your Client Certificate, and then, click Backup.
In the File Name to Backup window, do the following:
1. In the Format drop-down list select PKCS12 Files.
  Note: A .p12 file uses the same format as a .pfx file.
2. In the Save As box, go to where you want to save the Client Certificate (w/private key) .p12 file.
  Make sure to save the .p12 file in a location that you will remember.
3. Name the certificate .p12 file (i.e. myClientCertificate) and click Save.
In the Certificate Manager window, create a Certificate backup password and then, click OK.
When you receive the “Successfully backed up your security certificate(s) and private key(s)” message, click OK.
Your Client Certificate w/private key has now been backed up as a .p12 file.

(Mac) Importing Your Client Certificate

If you transferred to a new computer, or you want to use a different browser to log into your DigiCert account, you need to import your Client Certificate into the appropriate Keychain or Certificate Store.

If you have not yet exported your Client Certificate, see (Mac) Backing Up (Exporting) Your Client Certificate.

After you have exported your Client Certificate w/private key, you can import the certificate into the appropriate Keychain or Certificate Stores so that you can log into your DigiCert account from your new computer or using another browser.

How to Import Your Client Certificate

Safari
Chrome
Firefox

Safari: Importing Your Client Certificate

Open Keychain Access.
In the Finder window, under Favorites, click Applications, click Utilities, and then click Keychain Access.
In the Keychain Access toolbar, click File > Import Items.
In the Keychain Access window, in the Destination Keychain drop-down list, select login.
Locate and select your Client Certificate .p12 file and then, click Open.
In the Password box, type the password that you created when you exported your Client Certificate w/private key and then click OK.
Your Client Certificate w/private key is now imported into your login keychain, and you can use Safari and Chrome to log into your DigiCert account.

Chrome: Importing Your Client Certificate

In Chrome, go to Settings.
On the Settings page, below Default browser, click Show advanced settings.
Under HTTPS/SSL, click Manage certificates.
In the Keychain Access toolbar, click File > Import Items.
In the Keychain Access window, in the Destination Keychain drop-down list, select login.
Locate and select your Client Certificate .p12 file and then, click Open.
In the Password box, type the password that you created when you exported your Client Certificate w/private key and then click OK.
Your Client Certificate w/private key is now imported into your login keychain, and you can use Chrome and Safari to log into your DigiCert account.

Firefox: Importing Your Client Certificate

In Firefox, go to Preferences.
In the Preferences window, click Advanced, click the Certificates, and then click View Certificates.
In the Certificate Manage window, click Your Certificates and then, click Import.
In the Certificate File to Import window, in the Format drop-down list, select PKCS12 Files.
Then, go to and select your Client Certificate .pfx or .p12 file, and then click Open.
In the Certificate Manager, in the token drop-down list, select Software Security Device and click OK.
In the Password box, type the password that you created when you exported your Client Certificate w/private key and then, click OK.
When you receive the “Successfully restored your security certificate(s) and private key(s)” message, click OK.
Your Client Certificate w/private key is now imported in to the Firefox Certificate Store, and you can use Firefox to log into your DigiCert account.

(Mac) Removing the “This certificate was signed by an unknown authority” Warning Message

When you view your Client Certificate after it is installed or imported in to your login keychain, you may receive the “This certificate was signed by an unknown authority” warning message. The reason that you are receiving this message is because the Intermediate Certificate was not included in the Certificate Chain.

The certificate has been signed by DigiCert, and this message will not prevent you from being able to log into your DigiCert account. However, if you want to remove the warning message, all you need to do is install the Intermediate Certificate.

How to Remove the “This certificate was signed by an unknown authority” Warning Message

Open Keychain Access.
In the Finder window, under Favorites, click Applications, click Utilities, and then click Keychain Access.
In the Keychain Access window, under Keychains, click login, under Category, click Certificates, and then, double-click on your Client Certificate.
In your “Client Certificate” window, expand Details.
In the Extension Certificate Authority Information Access section, under Method #2 CA Issuers, to the right of URI, click the Intermediate Certificate link.
Your default browser (Safari or Chrome) should automatically download the Intermediate Certificate.
After your default browser (Safari or Chrome) downloads the Intermediate Certificate, double-click the certificate to open it and install it in your login keychain.
Close the Intermediate Certificate.
In your login keychain, where the warning message was located, you should now see the “This certificate is valid” message.

Managing Client Certificates | DigiCert.com (2024)

FAQs

Are client certificates secret? ›

A certificate is usually not considered secret information. Only the private key matching the public key in the certificate is secret, but this private key is not transmitted. The client certificate is signed by an authority whose public key is held on the server and this is all that is required.

Read On ›

What is the purpose of client certificate? ›

Client Certificates are digital certificates for users and individuals to prove their identity to a server. Client certificates tend to be used within private organizations to authenticate requests to remote servers.

Discover More Details ›

How are client certificates validated? ›

Validation is done by the server the same way the client validates the server's certificate. The client sends a signed certificate to the server. System SSL at the server decrypts the signature (message digest) using the public key of the client certificate issuer found in the server key database file.

Do companies check for certifications? ›

In conclusion, many employers check and verify job applicants' degree certificates, which has become a common practice in today's job market. With the increasing number of individuals using fake degrees to secure jobs, employers have implemented verification processes to ensure they are hiring the right candidate.

See Details ›

Can a client certificate be stolen? ›

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.

Find Out More ›

How secure are client certificates? ›

A client certificate is used to authenticate the client or user identity to the server. Server certificates perform encryption on data-in-transit to assure data confidentiality. Client certificate does not encrypt any data, it only serves as a more secure authentication mechanism than passwords.

Tell Me More ›

WHO issues client certificates? ›

Client certificate requirements

The client certificate is issued by an enterprise certification authority (CA). ...
The user or the computer certificate on the client chains to a trusted root CA.
The user or the computer certificate on the client includes the Client Authentication purpose.

More items...

Jun 20, 2023

Show Me More ›

Do client certificates expire? ›

The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process.

Explore More ›

What is a client certificate chain? ›

A certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA's are trustworthy.

Where is the client certificate stored? ›

The client certificate that you generate is automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.

Show Me More ›

Is client certificate public or private? ›

Both the certificates do not owe any similarity except the word “certificate” and they both have keys named as public and private keys. Server and client certificate both hold a public and a private key.

Read The Full Story ›

Are client certificates secure? ›

Client certificates are used to limit the access to such information to legitimate requesters. Secure sockets layer (SSL) authentication is a protocol for establishing a secured communication channel for communication between a client and a server.

See Details ›

Is client certificate authentication secure? ›

Username and password authentication is based only on what the user knows (the password), but certificate-based client authentication also leverages what the user has (the private key), which cannot be phished, guessed or socially engineered.

Get More Info Here ›

What does a client certificate contain? ›

Your certificate would typically contain pertinent information like a digital signature, expiration date, name of client, name of CA certificate (Certificate Authority), revocation status, SSL/TLS version number, serial number, and possibly more, all structured using the X. 509 standard.