diff --git a/Makefile b/Makefile
index 5d80d3aa..9f23115a 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,7 @@ certs-test:
 	cp certs/sets/current/gen/crt/ca-untrusted-root.crt common/certs
 	cp certs/sets/current/gen/crt/client.p12 common/certs/${TEST_DOMAIN}-client.p12
 	cp certs/sets/current/gen/crt/client.pem common/certs/${TEST_DOMAIN}-client.pem
+	cp certs/sets/current/gen/crt/client-nopass.pem common/certs/${TEST_DOMAIN}-client-nopass.pem
 
 .PHONY: certs-prod
 certs-prod:
@@ -51,6 +52,7 @@ certs-prod:
 	cp certs/sets/current/gen/crt/ca-untrusted-root.crt common/certs
 	cp certs/sets/current/gen/crt/client.p12 common/certs/${PROD_DOMAIN}-client.p12
 	cp certs/sets/current/gen/crt/client.pem common/certs/${PROD_DOMAIN}-client.pem
+	cp certs/sets/current/gen/crt/client-nopass.pem common/certs/${PROD_DOMAIN}-client-nopass.pem
 
 .PHONY: clean-certs
 clean-certs:
diff --git a/certs/Makefile b/certs/Makefile
index fc3565dd..8f4676c8 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -73,7 +73,10 @@ $(O)/gen/crt/client.p12: $(O)/gen/crt/client.crt $(O)/gen/key/client.key
 	./tool gen-pkcs12-p12 $@ $(D) $^
 $(O)/gen/crt/client.pem: $(O)/gen/crt/client.p12
 	./tool pkcs12-convert-p12-pem $@ $(D) $^
+$(O)/gen/crt/client-nopass.pem: $(O)/gen/crt/client.p12
+	./tool pkcs12-convert-p12-pem-nopass $@ $(D) $^
 CHAINS_PROD += $(O)/gen/crt/client.pem
+CHAINS_PROD += $(O)/gen/crt/client-nopass.pem
 
 ################################
 $(O)/gen/key/ca-untrusted-root.key:
diff --git a/certs/tool b/certs/tool
index e10ba4d1..296ef230 100755
--- a/certs/tool
+++ b/certs/tool
@@ -72,6 +72,13 @@ pkcs12-convert-p12-pem)
     -passout "pass:$DOMAIN" \
     -in $1
   ;;
+pkcs12-convert-p12-pem-nopass)
+  openssl pkcs12 \
+    -out $OUT \
+    -clcerts \
+    -passin "pass:$DOMAIN" \
+    -in $1
+  ;;
 self-sign)
   openssl x509  -req  -CAcreateserial \
     -out $OUT \
diff --git a/domains/misc/badssl.com/download/index.html b/domains/misc/badssl.com/download/index.html
index 7de67856..9435818b 100644
--- a/domains/misc/badssl.com/download/index.html
+++ b/domains/misc/badssl.com/download/index.html
@@ -22,7 +22,7 @@ <h2>Client Certificates</h2>
   <table>
     <thead>
       <td>Download</td>
-      <td>Password</td>
+      <td>Passphrase</td>
       <td>Format</td>
     </thead>
     <tbody>
@@ -36,6 +36,11 @@ <h2>Client Certificates</h2>
         <td><b><code>{{ site.domain }}</code></b></td>
         <td>PEM</td>
       </tr>
+      <tr>
+        <td><a href="/certs/{{ site.domain }}-client-nopass.pem">{{ site.domain }}-client-nopass.pem</a></td>
+        <td>&mdash;</td>
+        <td>PEM</td>
+      </tr>
     </tbody>
   </table>
 </div>
@@ -45,14 +50,14 @@ <h2>Installation Instructions</h2>
 <div class="group">
   <ul>
     <li>
-      macOS: drag <code><a href="/certs/client.p12">client.p12</a></code> into Keychain Access.
+      macOS: drag <code><a href="/certs/{{ site.domain }}-client.p12">{{ site.domain }}-client.p12</a></code> into Keychain Access.
     </li>
     <li>
-      Firefox: import <code><a href="/certs/client.p12">client.p12</a></code> into the Your Certificates
+      Firefox: import <code><a href="/certs/{{ site.domain }}-client.p12">{{ site.domain }}-client.p12</a></code> into the Your Certificates
       section of the Certificate Manager.
     </li>
     <li>
-      YubiKeys: import <code><a href="/certs/client.pem">client.pem</a></code> using the following command:<br><br>
+      YubiKeys: import <code><a href="/certs/{{ site.domain }}-client.pem">{{ site.domain }}-client.pem</a></code> using the following command:<br><br>
       <code>yubico-piv-tool -a verify-pin -s 9a -a import-key -a import-cert -i {{ site.domain }}-client.pem</code>
     </li>
   </ul>

Download	Password	Passphrase	Format
`{{ site.domain }}`	PEM
{{ site.domain }}-client-nopass.pem	—	PEM