Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
529 views
in Technique[技术] by (71.8m points)

ssl - Generating client side certificates in browser and signing on server

Is it possible to request generation of client keypair in browser and send the public key to the server CA to be signed transparently? Then installing the signed certificate in user's browser?

Scenario:

  1. User opens https://examle.com/ web page, server identity is verified
  2. User requests an account creation
  3. Keypair is generated in user's browser and not revealed to server/CA
  4. Pubkey is send to server for signing
  5. Server signes the key and generates certificate
  6. Certificate is sent to client and installed in browser along with private key

Next time client connects to server, his identity is verified based on client certificate.

It would be nice if server could force/hint the client to protect his private key using password encryption.

I've seen online banking using java applet for this task. Is it possible to do it using native browser capabilites? Apache/PHP or Node.js solution would be welcome.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Yes, it's possible. There are no cross-browser solutions, though.

  • For Internet Explorer, you will have to use some ActiveX controls using X509Enrollment.CX509EnrollmentWebClassFactory or CEnroll.CEnroll, depending on whether it's running on Windows XP or Vista/7. This will generate a PKCS#10 certificate request (which you may need to wrap between the traditional delimiters.
  • For the rest, you should be able to use the <keygen /> tag. It's a legacy Netscape tag, not officially HTML before, but it has made it into HTML 5 (although MS have said they wouldn't support it in their implementations). This will generate a SPKAC structure (similar to a CSR).
  • For Firefox (although it supports keygen), you can use the CRMF functions.

Here is an example script that should do most of the work for ActiveX or Keygen.

When the server sends a certificate in return (possibly later), the browser should import it into its store and associate it with the private key it had generated at the time of the request.

How the private key is protected will depend on the browser or underlying certificate store mechanism. In Firefox, there should be a master password on the security device, for example.

On the server side, you can implement your own CA using various tools. OpenSSL and BouncyCastle can handle PKCS#10 and SPKAC. Here is a BouncyCastle-based example (associated with the script above), and some code for CRMF.

If you want a ready-made solution, you may be interested in something like OpenCA.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...