4

I have generated key pair and created self signed certificate using JavaScript library WebCrypto API and 3rd party web service using a CSR request. Now i want to store the certificate with the private key in windows personal certificate store of the client pc. I have found here that by JavaScript it is not possible. Using java it is easily possible. But as jApplet is being discouraged now, so is there any other way from client side. By creating chrome/mozilla extensions, will it be possible either ?

Note that, i understand if i export the certificate as file along with the private key, i can import it manually in windows certificate store as personal certificate. But i want to automate the process like - the user just fill-up the form from browser and by server communication, the certificate will be created and will be store in windows store of client along with the private key.

Community
  • 1
  • 1
user1366645
  • 101
  • 7
  • With WebCrypto you can generate a key pair but not a certificate. Have you requested a certificate to a CA using a CSR request? – pedrofb Mar 21 '17 at 11:48
  • Yes, by calling 3rd party web service using a CSR. Updated the Question. Thnx @pedrofb – user1366645 Mar 21 '17 at 11:55

3 Answers3

4

I do not think you have too many options

  • You can not access from javascript to keystore used by browser due to security restrictions

  • You can not create a chrome extension to access to keystore used by browser because chrome API does not publish it (I am not sure with firefox)

  • You can not use an applet because Java is not supported by Chrome and Edge. Firefox will drop support to NPAPI plugins in March 2017 (java uses npapi), and next Java versions do not include the browser plugin

Alternatives:

  • Generate a .p12 file with the private key and certificate (in client side), download and open it. The operative system will launch the import certificate tool

  • Use WebCryptographyApi, if you only need the certificate to perform cryptographic operations on the browser (digital signature, encryption,...). You could generate the .p12 later

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Can you guide me how to Generate a .pfx/.p12 file with the private key and certificate in client side - javascript – user1366645 Mar 23 '17 at 10:39
  • You need to use a javascript library with support for PKCS#12 files. See for example [forge](https://github.com/digitalbazaar/forge#pkcs12) and [pki.js](https://pkijs.org/examples/PKCS12SimpleExample.html). Build the p12 extracting the private key from webcrypto and get the certificate and the certification chain returned by the server. See the my answer here http://stackoverflow.com/questions/36018233/how-to-load-a-pkcs12-digital-certificate-with-javascript-webcrypto-api to see how to load a p12 into webcrypto. You need the reverse process. – pedrofb Mar 23 '17 at 11:06
  • Thanks @pedrofb But it seems, the p12 file created by pki.js can not be imported in windows store. – user1366645 Mar 28 '17 at 06:37
  • I have not checked this function of pki.js, but with forge I have succeeded. I suggest you open a new question with details and an example – pedrofb Mar 28 '17 at 07:31
  • http://stackoverflow.com/questions/43066591/p12-file-import-failure-in-windows-certificate-store-by-forge-javascript-library @pedrofb – user1366645 Mar 28 '17 at 10:05
0

First of all, javascript runs on the browser inside a sandbox. So it has very limited access to the computer, it can calculate/generate stuff but can't do changes to the computer.

Creating an extension to add a certificate is a bit useless, because to do so, the only way that I can think of is to execute a program that could be excecuted by the user in the first place. More info about running programs from extension here.

So give the user an auto certificate installer program (create one), to run it. Example c code for Certificate Store Operations here.

Community
  • 1
  • 1
GramThanos
  • 3,572
  • 1
  • 22
  • 34
  • You can not execute an installer from the browser. Read your link, the accepted answer proposes to use a NPAPI plugin, that is not available in chrome since more than two years ago. The alternative, use Chrome Messaging Api, or a custom extension `myinstaller:\\` involves having preinstalled software – pedrofb Mar 21 '17 at 12:54
  • First of all, **I don't suggest to him to use an extension**, I even said that this is "useless". **I suggested to him, to provide a downloadable exe** that can install the certificate (not to call an installer), so that the user don't have to do it manualy (just run an exe). Second, **the link I provided explains more about the possibility of running a program from a google-chrome-extension**, if that is possible or not and with which technology is explaind on the link's answers, thats why I said *more info here*. I think you should read, not me. – GramThanos Mar 21 '17 at 13:24
  • You can not provide an installer with the certificate because the server does not have the private key. You would need that the installer is already installed in the user's computer so the browser could invoke it (with the commented drawbacks) to provide the certificate to install. I do not see any advantages in this. It is simpler for the user to double-click on a .p12 and use the default windows installer than on an .exe that has to be invoked by the browser – pedrofb Mar 21 '17 at 13:42
  • Again, I don't support the idea of calling an installed program from an extension, it seems you can't understand it. Also, javascript can provide the private key to be download as well as the exe, and there are many other ways to do so. I am sorry if my answer offended you but we posted our aswers about the same time so I saw your answer after I posted mine. Usually I don't post a second answer, I comment to the first to add info or my idea. I never said that my answer is better or that your answer is worse. – GramThanos Mar 21 '17 at 14:16
  • I am here to help people and posting my idea does not means that your idea is bad. On the other hand you attacking me because you misunderstood my answer, is not the spirit of this site. It is not a competition, its about helping people. You my friend have a bad attitude and I am not going to continue arguing about your problems. – GramThanos Mar 21 '17 at 14:16
0

We've got the same problem but only in chrome. We managed to do that in Firefox (<keygen> object in javascript) and IExpolorer (ActiveXObject). Considering Java Applet I suggest creating local microserver with REST API and communicate with it over SSL

macieg_b
  • 165
  • 3
  • 15