On 2009-11-30 00:41 PST, ivanatora wrote: > Hello, My goal is to get user signed into my site with a client login > certificate. Some sites like OpenID or cacert.org do it, so it must be > possible :)
Yes. > First I tried to generate the client certificate at the server side > (generate CSR, sign CSR, export into x509, pack keys and certificate into > PKCS12, send that file to the user) and it works. However I feel this is > not the right way to do it. I agree. > The sites I've mentioned generate the certificate on the client's machine > with that JavaScript function: generateCRMFRequest() then send the CSR to > the server and the server processess it in some way. generateCRMFRequest generates a key pair and a CRMF Request (which is like a CSR). The JavaScript that calls that function then sends the CRMF Request to the server, which treats it like a CSR, and issues a certificate from it, and then downloads the certificate to the browser. > I've done a couple of Google searches but all results I get are about > "CRMF output from JS is not compatible with OpenSSL". The version of CRMF used in Firefox is a somewhat old but nonetheless open standard. Perhaps OpenSSL doesn't claim to support it. There are other CA programs that do. (OpenSSL wasn't intended to be an operational CA program.) My advice: Don't limit yourself to OpenSSL. Look at DogTag, an open source CA product that works well with Firefox. > Can anyone tell me what is the correct way to generate client certificate > and process it (sign) server-side? I would not say there is one single correct way. There are numerous correct ways. generateCRMFRequest is one of two methods directly supported in Firefox for generating key pairs and creating a self-signed document that is something like (but not identical to) a PKCS#10 CSR. The other supported method is to use the HTML <KEYGEN> tag. It generates a document known as a SPKAC. While SPKAC is not an official standard of any standards body, it is an openly published format, and IIRC OpenSSL does support it. There are also third party browser extensions that offer yet other means of doing this. I expect we'll hear from one or more of the people who offer them in reply to your message here, pretty soon. > Regards, Ivan. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto