[Pki-users] keygen support in RA
Mike Helm
helm at fionn.es.net
Mon Jun 6 17:02:47 UTC 2011
Andrew Wnuk writes:
> There are keygen samples in current RA and CA UI but they were only
> tested with IE. Each platform from your list may have different
IE doesn't use keygen, it has CAPI (or whatever it's called now in Windows 7)
and makes pkcs#10 requests. I couldn't find any trace of a keygen tag in IE 9
and I am given to understand (from some of the W3c mailing lists) that Microsoft
is opposed to it & won't implement it in their HTML5. In any event, they're
fine as-is.
Opera and Google-style webkit browsers seem to have keygen. I don't know whether
it works on all platforms they support yet. Definitely works on Windows.
(My guess is it doesn't work on MacOS.)
Safari also has keygen, but it doesn't work on windows - the tag exists
but it won't do anything. Does work on MacOS.
The tag is a browser method (one of my more knowledgeable coworkers calls it this)
and so I can't really look inside the tag & see usable methods - just have
to try and check results.
Firefox has it but it's kind of a magic tag, perhaps it's an interface to
crypto.crmf-something. It works on most platforms (not mobile Android -
this deployment completely lacks crypto.* as far as I can tell.)
By "work" I mean it does only what it says it will do - make a key pair,
and understand that it has a private key somewhere & how to retrieve it.
I can definitely load a successfully-signed certificate into these browsers.
It may be that some options can provide a little more capability, but
I can't tell whether they're there & I don't understand them either.
I don't see one that will link more attributes to the generated key.
The problem now is, I need to persuade the CA to sign the certificate with
a usable subject name. This I don't know how to do, & I don't understand
the CA's internal software structure (let alone the "request architecture" or
flow) well enough yet to figure out whether it can be fixed. I can get it
the key; I can get it a subjectaltname; I can deliver the policy attributes
thru the profile, but the subject name....
My hope is that the CA is fine as-is and what I need to do is adjust the policy
or learn some more about the request API so I can feed it the subject name in
a manner it can understand - that would mean a patch to the RA perl libraries.
Otherwise, need to modify something in the CA.
Thanks, ==mwh
Michael Helm
ESnet/LBNL
More information about the Pki-users
mailing list