Eddy Nigg (StartCom Ltd.) wrote: > Nelson B wrote: >> casprd wrote: >> >>> we currently have a process which uses and embedded windows control >>> and the .net security libraries to automate the installation of the >>> client x.509 certificate into the windows store. >>> >>> I had run across some code snippets for doing this in firefox but now >>> for the life of me i can't find the websites. Does anyone have any >>> ideas how we can accomplish this or know of some websites that i can >>> look at for some ideas? >>> >> >> I suggest you look at how this web site does it: >> http://public.wisekey.com/crt/owgrgaca.crt
> Nelson, what you suggest here, is how to install a CA certificate, which > can be easily achieved as demonstrated with this link. All it needs is a > PEM encoded CA certificate and correct headers on the server. It can be PEM encoded or raw binary DER. > But if I understood the original question correctly, it is about > installation of client (S/MIME) certificates. You're right Eddy. I misread the original request. > Client certificates which > have the private key stored in FF (produced by <keygen>) can be > installed in similar fashion by sending the content of the certificate > with header "Content-type: application/x-x509-user-cert". Yes, exactly right, for downloading email certs for which the user has the private key. There is yet another MIME content type used to download email certs for other parties. application/x-x509-email-cert > Additionally > http://developer.mozilla.org/en/docs/JavaScript_crypto#Typical_use shows > a different approach via JavaScript. That page shows an approach to generating a certificate request in CRMF form, and sending it to the CA for signing. It is an alternative to the <keygen> tag approach to generating a certificate request. However, IIRC, with either method of generating the certificate request, after the CA subsequently issues the user's email cert, the user will need to download/install the certificate. AFAIK, the only way, presently supported in mozilla browsers, to do that download of the user's email cert is the method you described above, using the MIME content type application/x-x509-user-cert. There was another way in Netscape browsers, that used a protocol named CMMF. But I believe that is no longer supported. [I could be wrong] /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto