They can be generated and installed into the OS keystore by your browser automatically. By the low standards of crypto it works pretty well. Any old email client supports it out of the box.
Or, you can avoid the obvious problem in using a certificate generated by a non-trustable actor and use one which relies on the WoT instead: http://cacert.org