[Pki-devel] Generating CSR in the Browser

Chandrasekar Kannan ckannan at redhat.com
Mon Sep 19 18:25:26 UTC 2011


On 09/19/2011 11:07 AM, Adam Young wrote:
> On 09/19/2011 01:58 PM, Chandrasekar Kannan wrote:
>> On 09/19/2011 10:54 AM, Adam Young wrote:
>>> How are people using the Certificates that they generate from the 
>>> Browser?  Say I use the code at
>>>
>>> /ca/ee/ca/profileSelect?profileId=caUserCert
>>
>> You have to use the "end entity secure/non-secure" ports to do this...
>
> So does that mean that anyone can generate a signing request this way?

Yeah - as long as they know the host:port - a request can be generated - 
and submitted to the CA.
Agent has the approval authority.



>
>>
>>
>>>
>>> To generate a new Cert Signing Request, the key pair for that CSR is 
>>> in my browsers NSS Database, but in order to even get to this point, 
>>> I need to have a Certificate allowing me to talk to the server, so I 
>>> am guessing I can't do this from the end users browser.  I'm 
>>> guessing the workflow goes something like this:
>>>
>>> 1.  A new member of an organization needs a certificate, so they go 
>>> to their supervisor
>>> 2.  Supervisor fills out the form above and submites the CSR.
>>> 3.  Someone in higher echelons approves the request and generates 
>>> the corresponding certificate
>>> 4.  The Supervisor then gets the certificate to the end user.
>>>
>>>
>>> How does the private key get to the end users browser?  Does it go 
>>> by way of the CRM subsystem, and, if so, isn't there a chicken/egg 
>>> problem in getting it?
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>




More information about the Pki-devel mailing list