Web sites used to be able to create and import client certificates using <keygen>, generateCRMFRequest(), and importUserCertificate(). But we removed those functions. https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto So there is no way to manage client certificates "in band" today. You have to go to the certificate manager in the preferences and manually install a cert. WebCrypto gives us a sensible way to replace the above functions, in that <keygen> can be replaced with crypto.subtle.generateKey(), and the cert generation things can be replaced with JS/XHR. The only missing piece is the import. We should expose a simple API that allows JS to set and inspect the private key and certificate that should be used for TLS to a given HTTPS origin (the origin of the JS). It seems to me that this could be functionally quite similar to document.cookie -- something like document.tlsClient.certificate and document.tlsClient.privateKey

An additional function to close a [client certificate authenticated] tls session (Logout) would be helpful here, so that users don't have to restart Firefox every time.

As Chrome 57 will deprecate <keygen> ( https://www.chromestatus.com/features/5716060992962560 ) this should get a focus for business needs and WebID. Please consider to adjust the prioritization.

We also use productive the keygen and import possibility on firefox... How is the alternative way to do this now, if you realy want to sadly remove this feature?

As you can read on https://github.com/w3c/webauthn/issues/1027 the webautn is NOT a replacement for client certification or the authentication of users. You always need to buy hardware to be able to use webauthn, a hardware free implementation is missing. Please do not stop supporting keygen until webauthn has the possibility to use public keys without any hardware given!