Generating client side certificates in browser and signing on server

by

Yes, it’s possible. There are no cross-browser solutions, though.

  • For Internet Explorer, you will have to use some ActiveX controls using X509Enrollment.CX509EnrollmentWebClassFactory or CEnroll.CEnroll, depending on whether it’s running on Windows XP or Vista/7. This will generate a PKCS#10 certificate request (which you may need to wrap between the traditional delimiters.
  • For the rest, you should be able to use the <keygen /> tag. It’s a legacy Netscape tag, not officially HTML before, but it has made it into HTML 5 (although MS have said they wouldn’t support it in their implementations). This will generate a SPKAC structure (similar to a CSR).
  • For Firefox (although it supports keygen), you can use the CRMF functions.

Here is an example script that should do most of the work for ActiveX or Keygen.

When the server sends a certificate in return (possibly later), the browser should import it into its store and associate it with the private key it had generated at the time of the request.

How the private key is protected will depend on the browser or underlying certificate store mechanism. In Firefox, there should be a master password on the security device, for example.

On the server side, you can implement your own CA using various tools. OpenSSL and BouncyCastle can handle PKCS#10 and SPKAC. Here is a BouncyCastle-based example (associated with the script above), and some code for CRMF.

If you want a ready-made solution, you may be interested in something like OpenCA.

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. Installation SSL in wamp server: Error in httpd-ssl.conf
  3. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  4. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  5. Docker container SSL certificates
  6. How do I restore a missing IIS Express SSL Certificate?
  7. Third-Party Signed SSL Certificate for localhost or 127.0.0.1?
  8. Use self signed certificate with cURL?
  9. How to install OpenSSL in windows 10?
  10. How to add subject alernative name to ssl certs?
  11. Difference between self-signed CA and self-signed certificate [closed]
  12. Why does Python requests ignore the verify parameter?
  13. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  14. Trust Anchor not found for Android SSL Connection
  15. curl: (60) SSL certificate problem: unable to get local issuer certificate
  16. SSL certificate rejected trying to access GitHub over HTTPS behind firewall
  17. bypass invalid SSL certificate in .net core
  18. SSL Connection / Connection Reset with IISExpress
  19. “verify error:num=20” when connecting to gateway.sandbox.push.apple.com
  20. Java SSL: how to disable hostname verification
  21. Can you use a service worker with a self-signed certificate?
  22. curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  23. Connecting to a Websphere MQ in Java with SSL/Keystore
  24. SSL errors using MailChimp’s API
  25. Google App Script – MySql 8 – JDBC Connection Failed
  26. SSL Certificate add failed when binding to port
  27. How Can I Access an SSL Connection Through Android?
  28. SSLHandshakeException: Received fatal alert: handshake_failure when setting ciphers on tomcat 7 server
  29. What is CA certificate, and why do we need it?
  30. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”

Leave a Comment