Recommended way to be my own Certificate Authority

We are in the process of creating our own CA but I am not sure how to properly sign csrs.

Chrome supports the keygen HTML tag but it will not install a downloaded certificate (useless).
Firefox works with the keygen tag but it uses his own store, which means the user must export the certificate and reimport it to Windows in order to use it with other browsers.
IE needs a special MS-only javascript object but, running Windows 10, our customers will not even know how to open IE.
Edge does not uneerstand anything csr related.

I am thinking of generating both the csr and the cert in the server (and have the user download a p12 or an installer) or creating a Windows app and have the user download it in order to work, but this will of course expose their private key to my app.

What would you recommend?

Solution

Seems Keygen tag has been deprecated in chrome and there is no standard way to request a certificate from a browser. Actually CAs require to create your own keypair + csr, for example using openssl, or provide a form to autogenerate and copy&paste to a file in your computer.

Do not generate a certificate in the server and send it to client. This is a critical and high risk process. If the process is not secure your CA will not be valid, and will not be certified (assuming you need it).

Options:

Generate the keypair and CSR in client side, send CSR to server and receive the signed certificate: You can use openssl, a local application, an HTML form, or automatize the process using WebCryptographyApi (or other javascript library)
Generate the certificate in the server and use it remotely: The certificate must be conveniently securized, mainly using a HSM (In EU, it is mandatory to trusted CA that wants to store user certificates), and the usage of the certificate is locked with credentials. Usually with a double factor authentication. e.g username/password + SMS