Generating a cert at subdomain.databox.me/,system/newCert with subdomain's WebID profile enables you to immediately authenticate as them.
@deiu identified that this is because newCert updates the profile with the new key without checking acls first, and has now fixed this.
