In-Browser Installation of Client Certificates

In-Browser Installation of Client Certificates

GlobalSign offers different certificate delivery methods for PersonalSign products, one of which is installing directly through the browser. Enterprise PKI administrators can set the default delivery option in their ePKI profile. 

Individuals ordering from our retail site can choose this option by clicking Show Advanced Key Generation Options and choosing I will create the public/private keypair and CSR with Firefox or Internet Explorer.

Browser Compatibility

  PKCS #12
(.pfx) Pickup
PKCS #10
(Provide CSR)
Google Chrome 1 - 48
Google Chrome 49+
Microsoft Internet Explorer
Microsoft Edge
Mozilla Firefox

Google Chrome: As of Chrome 49, the <keygen> function has been disabled by default and digital certificate file types are downloaded instead of installed. While the keygen function can manually be enabled, the custom filetype handling is still removed, therefore installation through Google Chrome is not supported.

Microsoft Internet Explorer: IE uses the CertEnroll/XEnroll ActiveX control to generate and install certificates through the browser.

Microsoft Edge: Neither the <keygen> nor the CertEnroll/XEnroll ActiveX controls are present in Microsoft's new Edge browser.

Mozilla Firefox: This browser supports key generation and certificate installation by default through the <keygen> function and special certificate file type handling.

Note: While Firefox supports in-browser certificate installation, it uses its own keystore to store the certificate and is not shared with other applications. Installing through Internet Explorer will install the certificate to the Windows Certificate Store which is used by other applications such as Microsoft Office, Outlook, and Google Chrome. For this reason, Internet Explorer is recommended and is used in the example screenshots.



Note: The default Cryptographic Service Provider should be Microsoft Enhanced Cryptographic Provider v1.0. Other providers may appear in the dropdown if you use smartcards in your environment. Selecting your smart card's CSP, such as Microsoft Base Smart Card Crypto Provider will install the certificate onto the smart card.

  1. When a PersonalSign certificate is ready for pickup, an e-mail will be sent out. Open the link from the pickup e-mail in Internet Explorer or Firefox to start the certificate pickup process.
  2. Enter the pickup password created during the ordering process:
  3. When prompted, click Yes to allow your browser to handle a digital certificate operation.
  4. Unless disabled at the profile level by your admin, check the box to mark your key as exportable. This will allow you to make backups of your certificate or move it to other computers and devices as needed.
  5. Agree to the subscriber agreement and press Next to continue.
  6. Wait for a while... message will display while the certificate is being generated.
  7. Once the certificate is generated, click Install Certificate
  8. You will get another prompt to allow your browser to handle a digital certificate operation. Click Yes.  
  9. An Install Success window will appear when the operation completes successfully. 

The certificate is now installed and ready for use.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.