Peter Djalaliev wrote, On 2008-08-25 13:15: > Hello, > > I recently went to GoDaddy and created myself a new client SSL > certificate. During the process Firefox generated a new key pair, the > GoDaddy application issued the certificate and Firefox installed it > automatically (after asking me) into the NSS database. > > Can anybody provide any pointers as to how exactly these things > happen? Particularly, I am interested in
> how the web application instructs Firefox to generate a new key pair, There are two different ways it can be done. a) using the <keygen> html tag in a form (Google for it) b) using a JavaScript method named generateCRFMrequest, which Anders has already kindly pointed out. > who generates the certificate requests, The browser. Either of the two methods above generates a key pair and a certificate request. The request format depends on which method was used. > how the request is returned to the CA to sign it If I recall correctly the <KEYGEN> tag causes the generated request to be part of the form data sent in when you submit the form data. The generateCRMFrequest leaves the output where the JavaScript can send it in, or do whatever with it. > and how the application instructs Firefox to install the new > certificate (along with the private key) into the NSS database. The private key is put into the database when it is generated. It waits there to be joined eventually by the requested cert. While waiting for the cert, it is known as an "orphan" key. If the requested cert never is issued, it remains an orphan until it is deleted. The user usually browses to a web page served by the CA's web server. That page send down one or more certs using the MIME content type application/x-x509-user-cert. For more details, see the web page: http://developer.mozilla.org/en/NSS_Certificate_Download_Specification _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
