Web Browser Certificate Enrollment (CSR Generation) and Certificate Download to Smartcard or USB Token

by

Disclosure: I work for CISPL, Co. which develops Signer.Digital Browser Extension

Browser Extension may be used to Enroll Certificate (Generate CSR) and Download Certificate in Windows Certificate Store or Smartcard or USB Token from modern browsers. Browser extension provides JavaScript API which in turn talks to host application running on local machine to do the required operations in smartcard and returns response to JavaScript (or says users web page).

CSR generated using Browser Javascript API genCSR may be posted to CA Server for certificate generation or to your server if you want self signed certificate. Certificate and Trust Certificate chain received back from the server may be passed to ImportCer to import in the certificate store, smartcard or usb token.

API Available for Certifying Authorities in Signer.Digital Browser Extension are:

  1. Detect connected smartcard: (Autodetect connected Smartcard or USB Token)

SignerDigital.getPCSCReaders(onlyConnected = true) //List PCSC Readers, set paramater to false if you want to list all available readers

Example:

try 
{
    var SmartcardReaders = await SignerDigital.getPCSCReaders();
    var SCReaders = JSON.parse(SmartcardReaders);
    console.log(SmartcardReaders);
    console.log(SCReaders.length);
    if (SCReaders.length > 0)
    {
        $("#selSmartcard").empty();     //selSmartcard is HTML dropdown selector
        for (var i = 0; i < SCReaders.length; i++) {
            //ReaderNames are cryptic, convert to user friendly smartcard name
            var SCName = SignerDigital.getSCNameByReaderName(SCReaders[i]);  //Map PCSC ReaderName to User friendly smartcard name
            $("#selSmartcard").append(new Option(SCName));
        }
        
        //If Windows, add "Windows Certificate Store"
        if (SignerDigital.OSName == "Windows")
            $("#selSmartcard").append(new Option("Windows Certificate Store"));

        $('#selSmartcard option:eq(1)')
    }
}
catch (ErrorMsg) {
    alert(ErrorMsg);
}
  1. Generate CSR: (for Certificate Enrollment in Cert Store, Smartcard or USB Token)

SignerDigital.genCSR(PKCS11Lib, certSubject, certIssuer, keyBits = 2048, hasgAlgorithm = "SHA256", forceUserPinChangeIfDefault = false, , extensions = null)

To enforce password policy, viz. force user to change default password set by Smartcard manufacturer, set forceUserPinChangeIfDefault to true

Sample extensions parameter values:

{“SubjectAlternativeName”:”[email protected]”}
{“SubjectAlternativeName”:”DNSName=signer.digital;DNSName=charteredinfo.com;DNSName=multidomaincert.test”}
{“SubjectAlternativeName”:”URI=https://web.signer.digital;URI=https://help.signer.digital”}

  1. Import / Download Certificate (Import User Certificate and Trust Certificate Chain to Cert Store, Smartcard or USB Token)

SignerDigital.importCer(PKCS11Lib, b64Payload, certIssuer)

Json Model for b64Payload param above is: (Base64 of Json of below model)

public class ImportCertReq
{
    public string UserCertB64 ;     //May be null to just import Trust Chain
    public List<string> TrustChainB64;  //May be null to just import USer Certificate
}

Json Model for success Response from importCer promise is:

public class ImportCertResp
{
    public bool IsSuccessUserCertImport;
    public string UserCertImportOutcome; 
    public int TrustChainImportCount; 
    public string TrustChainImportOutcome; 
}

Generate CSR and Import Certificate api uses PKCS#11 library of smartcard or usb token for combability across OS. Thus, requires smartcard drivers to be installed on user’s windows pc before using these JavaScript API. For using Windows Certificate Store, pass PKCS11Lib as “Microsoft Enhanced RSA and AES Cryptographic Provider”.

Other useful properties and methods in Signer.Digital Extension

  1. SignerDigital.getHostDetails() //Check for SDHostVersion >= 2 for genCSR and certImport API to work

Response Model:

HostDetails 
{
    public string OS ;
    public string OSPlatform;
    public string SDHostType ;
    public string SDHostVersion ;
    public DateTime? UpdateCheckedOn ;
    public int CheckForUpdateAfterDays ;
}

  1. SignerDigital.OSName

  2. SignerDigital.OSSupported

  3. SignerDigital.getPkcsLibByProvider(ProviderName)

  4. SignerDigital.getSCNameByReaderName(ReaderName) //ReaderName obtained using promise getPCSCReaders() as listed in point 1 above.

  5. SignerDigital.getPkcsLibBySCName(SCName)

You may refer to SO Answer for other Certificate, Signing and Encryption/Decryption JavaScript APIs. These API uses Windows CSP and on Linux uses PKCS#11.

Above API may be tested live Here

Signer.Digital Generate CSR and Download Certificate Flow

Signer.Digital Browser Generate CSR and Download Certificate Flow

More Related Contents:

  1. Convert a CERT/PEM certificate to a PFX certificate
  2. Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
  3. If I revoke an existing distribution certificate, will it mess up anything with existing apps?
  4. What is the certificate enrollment process?
  5. What happens when a code signing certificate expires?
  6. SAML: Why is the certificate within the Signature?
  7. Convert pfx format to p12
  8. How to check if a file has a digital signature
  9. How to find out the path for OpenSSL trusted certificates?
  10. RegEx to remove key and certificate headers and footers [duplicate]
  11. Getting Chrome to accept self-signed localhost certificate
  12. why doesn’t java send the client certificate during SSL handshake?
  13. How can I deploy an iPhone application from Xcode to a real iPhone device?
  14. OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE [closed]
  15. Difference between openSSL rsautl and dgst
  16. How can I get a list of trusted root certificates in Java?
  17. Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication
  18. Verify a certificate chain using openssl verify
  19. Cannot install signed apk to device manually, got error “App not installed”
  20. Convert PEM traditional private key to PKCS8 private key
  21. Is it possible to programmatically generate an X509 certificate using only C#?
  22. android webview with client certificate
  23. WinVerifyTrust to check for a specific signature?
  24. Can’t use HTTPS with ServerXMLHTTP object
  25. How to determine SSL cert expiration date from a PEM encoded certificate?
  26. SSL certificate is not trusted – on mobile only [closed]
  27. Wrong version of keystore on android call
  28. What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
  29. app-release-unsigned.apk is not signed
  30. Does anyone know a free(trial) timestamp server service? [closed]

Leave a Comment