开发者

How to install SSL client certificate from a webserver for both FF and IE?

After login, I want a web-page to be able to provide both firefox and MSIE-8+ web-site clients the ability to download and install a unique SSL client certificate for the website so they need never login again from that machine.

The back-end is simple and done - I have a directory on my linux web-server where typing "make USER=$username ${username}.crt.pkcs12" will create a new client key and a valid, signed PKCS-12 SSL client certificate file .

But how to best provide a single method whereby both logged-in (with password) MSIE and firefox users can download these certificates and bring up the "install client certificate" browser GUI dialog ?

It is straightforward to simply push the certificate as a file of mime-type ? - say 'application/x-pkcs7-certr开发者_StackOverfloweqresp' ?? so the user is prompted to save the file; but I want them to be prompted to add the certificate for this website to the SSL certificate manager's client cert store. Then I found this for firefox.

So this is fairly straightforward

but all I can find for MSIE is this.

So it is simple to invoke firefox'x security manager API from javascript, but I can find no way of doing so from MSIE's javascript - one would need to invoke .NET C# code to access the .NET APIs, and the X509Store APIs seem not to be exported to MSIE javascript .

As I see it, options are then to provide a mono .NET web service on my linux webserver and redirect requests from MSIE clients for the certificates to this service , which can then download .NET code that the client runs to install the certificate ?

Or I can make MSIE clients download a "Install_Cert.VB" visual basic script that will run "WinHttpCertCfg.exe" ?

Or is there some magic MSIE security manager javascript API that I'm just not finding ?

Sorry, I've been a windows refusnik since 1992; I use only Linux / Solaris / BSD / MacOS and do not have access to a windows machine.

Anyone been here before / have any advice to offer ? If so, it would be much appreciated ! Thanks in advance, Jason


Probably not an answer you'd expect to get, but the easiest you can do is create an ActiveX that will put the certificate to the right certificate store in IE. Since ActiveX is only handled by IE, you will have IE-specific solution and you will need to have just one version of ActiveX control. For Firefox (and Chrome and Opera) you would need to find other solutions.


Here's some documentation about ways to get client side SSL certificates installed.

As you might expect, every browser is different, mobile devices are missing features in many cases, and there are lots of ways to do the same thing. Looks like many people are banging their heads on this stuff.


What you are doing is radically insecure. Private keys are supposed to be private. So generating a private key for somebody else is a contradiction in terms. The corresponding certificate is also supposed to uniquely identify the client. In this case it could identify either the generating code or any of the client(s) to which it has issued the key and certificate.

You need another solution.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜