'Re: apply cert from browser'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: apply cert from browser
From:       Michael Sierchio <kudzu () dnai ! com>
Date:       2000-04-30 21:33:52
[Download RAW message or body]

SCH wrote:
> 
> My CA is to sign certificates for end-users,
> and I hope the user can generate rsa-key pair
> and submit cert-request in his browser.
> How can I (as a web server) tell the browser to generate a
> pair of key and then send me a cert request ?

In the case of Netscape browser,  you send the browser a form 
that contains the keygen tag (see below).  This will send the
servlet or CGI script the form name/value pairs, including the
keygen tag:

 keygen = 
MIIBRzCBsTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA+WlVa1Ras/mi7JhA
F83YkDJTE3w92dsRy/SaMmhFNLY1QfoFkZcfUwyo+zhHTFayk/8ql0lrafTlxtYR
NJY2Qhq/F71PrzNYejf4ZSDlT/ZF4NqBf0aJsbc5XBPVBXUS3a81PLkrOUEMedPW
HpoOpuzXRIFvlWPPO1uHjlkT0f8CAwEAARYNZml4ZWQtZm9yLW5vdzANBgkqhkiG
9w0BAQQFAAOBgQDdesDAQoajpIB3Xv92xNljniDzkGWPVEkCvsFphgCFU/S5SL+H
Z7CLYamQhLmq1c2TnslDc1zd9i2/qlnpiQ3LI/MFgE0PXCDQA+0mpBPdqLwx30tS
pymScf7kqC0jIoNblG6s3YoeIUzRV6ewsx4rOYzJVeCTh7XqI5Du/zwqOg==

This is a SPKAC (signed public key and challenged) Base64 encoded,
which you can use for the signing request after cooking it with
the other form elements. 

	SignedPublicKeyAndChallenge ::= SEQUENCE {
		publicKeyAndChallenge PublicKeyAndChallenge,
		signatureAlgorithm  AlgorithmIdentifier,
		signature   BIT STRING }
 
	PublicKeyAndChallenge ::= SEQUENCE {
		spki      SubjectPublicKeyInfo,
		challenge IA5STRING }

That should get you started... ;-)

The Internet Exploder version is much uglier, but I could
post that too, if you like.  It requires using a CAB and 
VBScript (shudder, ack, ptui!).



===================NETSCAPE VERSION=====================

<HTML>
  <HEAD>
    <TITLE>X.509 Personal CertGen (Alpha)</TITLE>
  </HEAD>
  <BODY BGCOLOR="#fee0c0"> <a name="top">
<H2>Personal Cert Generation</H2>
<hr>

<!-- Netscape Version -->

<FORM METHOD=POST ACTION="/enroll">
<hr><em><b>Please enter the following data to get your personal
certificate:</b></em>
<TABLE>

<TR>
<TD> Your name </TD>
<TD><INPUT TYPE=text SIZE=40 NAME="name" VALUE="Joan Q. Public"></TD>
</TR>

<INPUT TYPE=hidden SIZE=30 NAME="unit" VALUE="JWS">
<INPUT TYPE=hidden SIZE=30 NAME="org" VALUE="Java Land">
<INPUT TYPE=hidden SIZE=30 NAME="unit" VALUE="BOZO">

<TR>
<TD> City or Locality name </TD>
<TD><INPUT TYPE=text SIZE=30 NAME="locality" VALUE="San Jose"></TD>
</TR>

<TR>
<TD> State or Province name </TD>
<TD><INPUT TYPE=text SIZE=30 NAME="state" VALUE="California"></TD>
</TR>

<TR>
<TD> Two-letter country code (e.g. <em>US</em>).</TD>
<TD><INPUT TYPE=text SIZE=2 NAME="country" VALUE="US"></TD>
</TR>

<TR>
<TD> Your preferred key size </TD>
<TD><KEYGEN name="keygen" challenge=fixed-for-now></TD>
</TR>

</TABLE>

<INPUT TYPE="hidden" NAME="opname" VALUE="genCert">
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic