[Pki-devel] Generating CSR in the Browser
Chandrasekar Kannan
ckannan at redhat.com
Mon Sep 19 18:25:26 UTC 2011
On 09/19/2011 11:07 AM, Adam Young wrote:
> On 09/19/2011 01:58 PM, Chandrasekar Kannan wrote:
>> On 09/19/2011 10:54 AM, Adam Young wrote:
>>> How are people using the Certificates that they generate from the
>>> Browser? Say I use the code at
>>>
>>> /ca/ee/ca/profileSelect?profileId=caUserCert
>>
>> You have to use the "end entity secure/non-secure" ports to do this...
>
> So does that mean that anyone can generate a signing request this way?
Yeah - as long as they know the host:port - a request can be generated -
and submitted to the CA.
Agent has the approval authority.
>
>>
>>
>>>
>>> To generate a new Cert Signing Request, the key pair for that CSR is
>>> in my browsers NSS Database, but in order to even get to this point,
>>> I need to have a Certificate allowing me to talk to the server, so I
>>> am guessing I can't do this from the end users browser. I'm
>>> guessing the workflow goes something like this:
>>>
>>> 1. A new member of an organization needs a certificate, so they go
>>> to their supervisor
>>> 2. Supervisor fills out the form above and submites the CSR.
>>> 3. Someone in higher echelons approves the request and generates
>>> the corresponding certificate
>>> 4. The Supervisor then gets the certificate to the end user.
>>>
>>>
>>> How does the private key get to the end users browser? Does it go
>>> by way of the CRM subsystem, and, if so, isn't there a chicken/egg
>>> problem in getting it?
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>
More information about the Pki-devel
mailing list