Is it possible to request generation of client keypair in browser and send the public key to the server CA to be signed transparently? Then installing the signed certificate in user's browser?
Scenario:
Next time client connects to server, his identity is verified based on client certificate.
It would be nice if server could force/hint the client to protect his private key using password encryption.
I've seen online banking using java applet for this task. Is it possible to do it using native browser capabilites? Apache/PHP or Node.js solution would be welcome.
Yes, it's possible. There are no cross-browser solutions, though.
X509Enrollment.CX509EnrollmentWebClassFactory
or CEnroll.CEnroll
, depending on whether it's running on Windows XP or Vista/7. This will generate a PKCS#10 certificate request (which you may need to wrap between the traditional delimiters.<keygen />
tag. It's a legacy Netscape tag, not officially HTML before, but it has made it into HTML 5 (although MS have said they wouldn't support it in their implementations). This will generate a SPKAC structure (similar to a CSR).Here is an example script that should do most of the work for ActiveX or Keygen.
When the server sends a certificate in return (possibly later), the browser should import it into its store and associate it with the private key it had generated at the time of the request.
How the private key is protected will depend on the browser or underlying certificate store mechanism. In Firefox, there should be a master password on the security device, for example.
On the server side, you can implement your own CA using various tools. OpenSSL and BouncyCastle can handle PKCS#10 and SPKAC. Here is a BouncyCastle-based example (associated with the script above), and some code for CRMF.
If you want a ready-made solution, you may be interested in something like OpenCA.