Bugzilla – Bug 6637
Allow in-browser issuance
Last modified: 2010-07-08 10:30:01
You need to
before you can comment on or make changes to this bug.
Instead of having a JWS client launch and request a certificate, use the build
in browser functionality to generate the request and return the certificate to
the browser. This would mimic the issuance process of some existing CAs
allowing the GS-CA to drop into their existing issuance flows more easily.
various browsers to initiate the key and certificate request generation
Firefox command: https://developer.mozilla.org/en/GenerateCRMFRequest
Keygen tag: https://developer.mozilla.org/en/HTML/HTML_Extensions/KEYGEN_Tag
(Doesn't work with IE?)
Here is code from myopenid.com that uses keygen:
<input type="hidden" name="tid" value="0b43276e" />
<keygen class="skip" name="cert_spkac" id="spkac"
<input type="hidden" name="cert_pkcs10" id="pkcs10">
<input type="text" id="cert-name" name="cert_label" maxlength="64" />
<br /><span class="example">
e.g. <q>home</q>, <q>work</q>, <q>laptop</q></span>
Pruning what features go in 2.0 based on what is required for CILogon service.
This will go into post-2.0 release.
Also don't see why this blocks 6845 so removing that.
Looks like this will require myproxy-server changes to support the
browser-generated certificate request message(s).
Note MyProxy currently expects a PKCS#10 (RFC 2986) certificate request.
CRMFRequest generates an RFC 4211 Certificate Request Message Format (CRMF)
object. KeyGen creates a SignedPublicKeyAndChallenge (SPKC) (see Bug 7064 for
the needed myproxy-server SPKC support). What does IE need? Need to do more