most browsers will auto select the right cert. But for browsers that dont support the keygen tag you have to create the cert including priv key and pw. you can of course create many certs for different users, you can of course also sign them yourself, no ca is needed besides for the ssl server cert. most of the points on that site is moot besides poor support on some browsers.