Browser keygen is dead, long live browser key generation!

Now that Chrome has killed off the keygen tag, and assuming other Browsers follow suit, what options are there for generating private keys within the browser? Perhaps WebCrypto and JavaScript can come to the rescue?

With thanks to the excellent PKI.js and the useful examples, we've added an option to the PKI Cloud Free Online CA service which demos this approach. It's an easy way to try generating private keys in a browser, sending a certificate request to a remote CA, receiving the response and wrapping everything up into a PKCS#12.

Here's how to give it a go in five easy steps.

1. Register your free account:

2. Create your first CA and add a new user. Make sure you select the user's Token Type as 'User Generated'.

3. After being redirected to the user's page, click on the 'Collection Link' button.

4. Change the Key Generation type to 'Browser Key Gen' and choose your key type and specification.

5. Copy the link into another browser window, enter the user's enrollment code and collect your PKCS#12!

If you have trouble or want to re-issue, use the 'renew/re-issue' link on the user's settings tab.

So what is actually happening?

On loading the connection page link, the browser uses PKI.js to generate a key. In the example the key settings are "keyalg=RSA&keyspec=2048".
Once this key is generated a Certificate Signing Request is immediately created.
On hitting 'submit', the page sends the CSR and enrollment code to the PKI Cloud API, the API validates the code, issues a certificate and sends it back.
With more help from PKI.js, the browser then rolls the key and certificate into a PKCS#12 file and downloads it.

How can I read the PKCS#12?

PKI.js explains in the examples page:

PKIjs, also only supports creation of AES-CBC and AES-GCM protected PKCS#12’s which will not be readable by Windows which only supports weak ciphers in PKCS#12 files.

You can parse the Password-Based Privacy Protection variant PKIjs creates using this command:

openssl pkcs12 -in pkijs_pkcs12.p12 -nomacver

Are all browsers supported?

The best chance of success is to use an up to date version of Chrome. IE, Edge and Safari are not working at the moment. Firefox will work as long as RSA keys are used.

Can keys be generated on smart cards or USB tokens?

No, only software tokens are supported.

No comments:

Post a Comment