Browser requests

Confusa certificiate requests can also be made within the browser window. The crypto APIs of the different browsers are accessed to generate a CSR and a corresponding key. The key goes to the browser's keystore while the CSR will be signed by the CA and reimported into the browser once that is done. The browser can identify matching public/private key pairs and allow the user to export the result, most of the time in form of a PKCS#12 file.

The following table shows the currently supported browsers in Confusa:

Browser Used method Request format Response format Tested version
Internet Explorer (pre Vista) Xenroll.dll (via JavaScript) PKCS#10 PKCS#7 (full chain) IE 7 on Windows Server 2003
Internet Explorer (post Vista) CertEnroll.dll (via JavaScript) PKCS#10 PKCS#7 (full chain) IE 8 on Windows Vista
Firefox keygen-tag SPKAC PKCS#7 (cert-only) Firefox 3.0.13 on Ubuntu 8.10
Safari keygen-tag SPKAC PKCS#7 (cert-only), user must doubleclick Safari 3 on MacOS X
Opera keygen-tag SPKAC PKCS#7 (cert-only) Opera 9.64 on Ubuntu 8.10

Browsers tested to not work:
Google Chrome on Vista (will not generate any keys using the keygen tag)

How does it work?

Key generation has to take place on the user's computer. This is required by EUGridPMA policy. Therefore, either JavaScript using the Windows/Mozilla CryptoAPI is used, or the <keygen>-tag which is supported by browsers like Firefox, Opera and Safari. To keep the key generation dynamic, a lot of data flow happens between the JavaScript in the user-space and the CertManager classes in the Confusa-backend. So when the user clicks "Start" in the graphical interface, first a private key and a certificate signing request are generated. Then the information is passed as shown in the following diagram:

Flow diagram of certificate processing in the browser

Once the processing is done and that information is propagated to the JavaScript, an install link is shown, that also appears in the "Download certificates" view. If the user clicks the install-link, a procedure for browser deployment illustrated in the following flow diagram is kicked off:

Flow diagram of certificate deployment in the browser

Dependant on the browser, a JavaScript function for installing or direct download in PKCS#7 format is used, which the browsers will try to automatically install to their keystore.