Stage 2 · mTLS Identity

Your certificate,
generated here.

Your private key is generated in this browser and stored in your device's OS keychain — it never leaves your device. Only a certificate signing request is sent to entityOS — we sign it with the private CA and return your certificate ready to install.

Algorithm ECDSA P-256
Validity 500 days
Key custody OS Keychain
Certificate Registration
1
Details
2
Key gen
3
Sign
4
Download
Generating ECDSA P-256 key pair…

Provided by your system administrator.

Embedded as the Subject Alternative Name in your certificate.

Install your certificate

Password:

Your .p12 file has been downloaded automatically. If not, download it here.

macOS
  1. Double-click the .p12 — Keychain Access will open.
  2. Enter the password above when prompted.
  3. Restart your browser — entityOS will now recognise your identity.
Windows
  1. Double-click the downloaded .p12 — Certificate Import Wizard will open.
  2. Select Current User, click Next.
  3. Enter the password above when prompted.
  4. Place the certificate in Personal store, click Finish.
  5. Restart your browser — entityOS will now recognise your identity.
iPhone / iPad
  1. Open this page on your iPhone, then tap the download link above to save the .p12.
  2. Tap the .p12 file — iOS will prompt to install a profile.
  3. Go to Settings → General → VPN & Device Management and tap the downloaded profile.
  4. Tap Install and enter your device passcode.
  5. Enter the certificate password above when prompted.
  6. Safari will now present your certificate automatically for entityOS mTLS services.
Android
  1. Tap the download link above to save the .p12 to your device.
  2. Go to Settings → Security → Encryption & credentials → Install a certificate.
  3. Select VPN & app certificate (or User certificate depending on your device).
  4. Browse to and select the .p12 file.
  5. Enter the certificate password above when prompted.
  6. Give the certificate a name (e.g. entityOS) and tap OK.
  7. Chrome on Android will now present your certificate for entityOS mTLS services.

Optional

Your certificate was issued by the entityOS Certificate Authority (CA). Install the CA certificate once to trust it — the red warning will disappear and your certificate will be verified automatically.

macOS: Double-click the downloaded .pem → Keychain Access → expand Trust → set When using this certificate to Always Trust. Windows: Double-click → Install Certificate → Place in Trusted Root Certification Authorities. macOS: Double-click the downloaded .pem → Keychain Access → expand Trust → set When using this certificate to Always Trust.  |  Windows: Double-click → Install Certificate → Place in Trusted Root Certification Authorities.

Keep this file secure. Your private key is the credential that proves your identity to entityOS. Store it in a password manager or encrypted vault. Do not share it, email it, or commit it to source control.

Under the hood

How your certificate is created

01
Key pair generation

Your browser uses the Web Cryptography API (window.crypto.subtle) to generate an ECDSA P-256 key pair. The private key is stored in your device's OS keychain after install — it never leaves your device, not even to entityOS.

Browser
02
Certificate Signing Request

The browser constructs a PKCS#10 CSR containing your public key, a unique identity derived from your security code, and your email address as a Subject Alternative Name. Only the CSR — never the private key — is transmitted to entityOS.

Browser
03
Signing by AWS Private CA

The entityOS Lambda validates your security code and submits the CSR to AWS Private Certificate Authority. The CA signs your public key, producing a trusted X.509 client certificate valid for 5 days by default (configurable). A binding record is written to encrypted S3 storage.

Server
04
PKCS#12 packaging & download

The signed certificate is returned to your browser, which packages it with your private key into a PKCS#12 (.p12) file — the universal format for OS certificate stores. Install it once and your browser presents it automatically on every entityOS mTLS connection.

Browser