Get an MIT certificate

CertAssist is currently broken due to changes in how ca.mit.edu performs authentication.

Your new certificate will be saved as a PKCS #12 archive encrypted with your specified download password. You can then import this *.p12 file into your favorite browser.

Browser instructions: on Open the downloaded *.p12 file, and follow the steps of the Certificate Import Wizard. Save the *.p12 file, then import it at Settings → Privacy & Security → Security → Manage certificates → Your Certificates → Import. Save the *.p12 file, then import it at Options → Privacy & Security → Security → Certificates → View Certificates → Your Certificates → Import. Save the *.p12 file, then import it at Preferences → Privacy & Security → Security → Certificates → View Certificates → Your Certificates → Import. Open the downloaded *.p12 file, and follow the prompts to install your certificate. Open the downloaded *.p12 file, and follow the prompts to add your certificate to the login keychain. Firefox on Android does not currently support importing a certificate from a *.p12 file. However, you can install your certificate from ca.mit.edu directly. (Alternatively, if you have root access to your device, you may be able to import the *.p12 file manually.)

How does this work?

This uses the forms provided on ca.mit.edu and ca.csail.mit.edu to obtain certificates and let you to download and import them, even if your browser lacks <keygen> support.

As a workaround for the absence of CORS headers on these servers, CertAssist uses a JavaScript TLS library to make an end-to-end encrypted and authenticated HTTPS connection to them. The encrypted connection is relayed over a WebSocket proxy on this server that does not need to be trusted (but is itself encrypted anyway, because it might as well be).

The downloaded certificate file is delivered from the client side using createObjectURL or data URL, depending on browser support.

This design ensures that your private information is only visible to your browser and ca.mit.edu or ca.csail.mit.edu, and is not exposed to this server.