Yes, it's possible. There are no cross-browser solutions, though.
- For Internet Explorer, you will have to use some ActiveX controls using
X509Enrollment.CX509EnrollmentWebClassFactory
or CEnroll.CEnroll
, depending on whether it's running on Windows XP or Vista/7. This will generate a PKCS#10 certificate request (which you may need to wrap between the traditional delimiters.
- For the rest, you should be able to use the
<keygen />
tag. It's a legacy Netscape tag, not officially HTML before, but it has made it into HTML 5 (although MS have said they wouldn't support it in their implementations). This will generate a SPKAC structure (similar to a CSR).
- For Firefox (although it supports keygen), you can use the CRMF functions.
Here is an example script that should do most of the work for ActiveX or Keygen.
When the server sends a certificate in return (possibly later), the browser should import it into its store and associate it with the private key it had generated at the time of the request.
How the private key is protected will depend on the browser or underlying certificate store mechanism. In Firefox, there should be a master password on the security device, for example.
On the server side, you can implement your own CA using various tools. OpenSSL and BouncyCastle can handle PKCS#10 and SPKAC. Here is a BouncyCastle-based example (associated with the script above), and some code for CRMF.
If you want a ready-made solution, you may be interested in something like OpenCA.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…