Here is a scenario I have tested.
Step 1. Setup CA by entering CA Name details etc.
Step 2. Generate a CSR from geronimo-default keystore and process the server certificate request using "Issue New Certificate" link in CA portlet.
Step 3. Import CA's certificate as trusted and the CA reply.
Step 4. Setup an HTTPS Connector configured for client authentication.
Step 5. Start the CA Helper application from "Web App WARs" portlet
In a second browser window,
Step 6. Access the CA Helper Application at http://localhost:8080/CAHelper through a web browser that supports KEYGEN tag. Internet Explorer does not support KEYGEN tag.
Step 7. Submit a Certificate Request through web brower using "Request Certificate" link. Upon submission the request shows up in "Requests to be verified" page in CA portlet. NOTE: Make a note of the request id as it will be required to download the cerfiticate issued by the CA.
In CA portlet,
Step 8. Approve the request through CA portllet using "Requests to be verified" link. Approved requests showup in "Requests to be fulfilled" page.
Step 9. Process the request from "Requests to be fulfilled" page and issue certificate.
In the CA Helper window,
Step 10. Import CA's certificate into web browser suing "Download CA certificate" link.
Step 11. Install personal certificate using the "Download Certificate" link and request id from Step 7 above.
Step 12. Access the verify certificate link to verify that the certificate is downloaded and installed.
Summary of the scenario: CA is setup; a certificate request is submitted through web browser and issued certificate is downloaded into the web browser.