Generate your client certificate

Set up your client certificate for CertCentral two-factor authentication

After your CertCentral administrator implements two-factor authentication or resets your client certificate, you must generate a client certificate the next time you sign in to your account.

On June 15, 2022, DigiCert will end support for client certificate key generation in Internet Explorer (IE) 11 and IE mode on Microsoft Edge. To continue to use browser-based key generation, use our new key generation service—supported by all major browsers.

Before you begin

Microsoft Edge IE-mode

By default, Microsoft Edge does not support key generation. However, you can enable IE mode for Edge. IE mode allows you to generate the keys for your client certificate in Microsoft Edge. For more information on enabling IE mode for Edge, see Microsoft's article, What is Internet Explorer (IE) mode.

Generate client certificate: Microsoft Edge, Safari, Google Chrome, and Firefox

Use DigiCert's new KeyGen tool to perform browser-based certificate key generation. KeyGen generates a keypair and then uses the public key to create a certificate signing request (CSR). KeyGen sends the CSR to DigiCert, and we send the certificate back. Then KeyGen downloads a PKCS12 (.p12) file that contains the certificate and the private key. The password you create during the certificate generation process below protects the PKCS12 file.

  1. Open a browser that supports DigiCert KeyGen client certificate generation:

    • Windows: Microsoft Edge, Google Chrome, or Firefox
    • macOS: Safari, Google Chrome, Firefox, or Microsoft Edge
  2. On the Two-Factor Authentication Client Certificate Initialization page, verify that the name, email address, and organization are correct.

  3. Create and confirm your certificate password.

    You will use this password each time you install your certificate. If you forget your password, you won't be able to install the certificate. So, make sure to store it safely, such as in a password manager.

If you lose your password, contact your CertCentral account administrator. They will need to reset your client certificate. See Reset a client certificate or OTP app or device.

  1. Review the Master Service Agreement and then check I agree to the terms of the subscriber agreement.

  2. When ready, select Generate Certificate.

  3. Verify your .p12 certificate file was successfully generated and downloaded.

  4. Use your password to open the .p12 file and install your client certificate in your personal certificate store.

  5. When the browser presents your client certificates, select your newly generated client certificate and select OK.

  6. Sign in to your CertCentral account.

    You should now be able to use two-factor authentication—your credentials (username and password) and your new client certificate—to sign in to your account.

What's next

Each time you sign in to CertCentral, use your client certificate to complete the two-factor authentication to sign in process.

Generate client certificate: Internet Explorer (IE) or Microsoft Edge – IE mode

  1. Open a browser that supports client certificate generation:

    • Windows: IE 11 or Microsoft Edge – IE mode
  2. On the Two-Factor Authentication Client Certificate Initialization page, select Generate Certificate.

  3. When the browser presents your client certificates, select your newly generated client certificate and select OK.

  4. You should now be in your CertCentral account.

What's next

Each time you sign in to CertCentral, use your client certificate to complete the two-factor authentication to sign-in process.

Where's my client certificate?

  • Internet Explorer, Microsoft Edge, and Google Chrome install client certificates in the Windows Certificate Store. Microsoft Edge, Chrome, and Internet Explorer can access and use these client certificates. To use a client certificate with Firefox, you need to export a copy from the Windows Store. Then install it in Firefox.
  • Safari, Google Chrome, and Microsoft Edge install client certificates in the Keychain Access. Safari, Chrome, and Microsoft Edge can access and use these client certificates. To use a client certificate with Firefox, export a copy from Keychain Access and install it in Firefox.
  • Firefox installs client certificates in the Firefox certificate store. Only Firefox can access these certificates. To use the client certificate with Chrome, Safari, or Microsoft Edge or export a copy from the Firefox certificate store and install the client certificate in the operating system's certificate store.

For more information, see Managing Your Client Certificate.

What should I do if I lose my client certificate?

Immediately contact your CertCentral account administrator, so they can reset your client certificate. Then sign in to your CertCentral account and generate a new client certificate. See Reset a client certificate or OTP app or device.