Eddy Nigg (StartCom Ltd.) wrote:
> Nelson B wrote:
>> casprd wrote:
>>  
>>> we currently have a process which uses and embedded windows control
>>> and the .net security libraries to automate the installation of the
>>> client x.509 certificate into the windows store.
>>>
>>> I had run across some code snippets for doing this in firefox but now
>>> for the life of me i can't find the websites.  Does anyone have any
>>> ideas how we can accomplish this or know of some websites that i can
>>> look at for some ideas?
>>>     
>>
>> I suggest you look at how this web site does it:
>> http://public.wisekey.com/crt/owgrgaca.crt

> Nelson, what you suggest here, is how to install a CA certificate, which
> can be easily achieved as demonstrated with this link. All it needs is a
> PEM encoded CA certificate and correct headers on the server.

It can be PEM encoded or raw binary DER.

> But if I understood the original question correctly, it is about
> installation of client (S/MIME) certificates. 

You're right Eddy.  I misread the original request.

> Client certificates which
> have the private key stored in FF (produced by <keygen>) can be
> installed in similar fashion by sending the content of the certificate
> with header "Content-type: application/x-x509-user-cert". 

Yes, exactly right, for downloading email certs for which the user has
the private key.

There is yet another MIME content type used to download email certs for
other parties.  application/x-x509-email-cert

> Additionally
> http://developer.mozilla.org/en/docs/JavaScript_crypto#Typical_use shows
> a different approach via JavaScript.

That page shows an approach to generating a certificate request in CRMF
form, and sending it to the CA for signing.  It is an alternative to
the <keygen> tag approach to generating a certificate request.

However, IIRC, with either method of generating the certificate request,
after the CA subsequently issues the user's email cert, the user will
need to download/install the certificate.  AFAIK, the only way, presently
supported in mozilla browsers, to do that download of the user's email
cert is the method you described above, using the MIME content type
application/x-x509-user-cert.  There was another way in Netscape browsers,
that used a protocol named CMMF.  But I believe that is no longer
supported.  [I could be wrong]

/Nelson

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to