[foaf-protocols] FOAF+SSL: Simple Recipe to Create X.509 Client Certificates in PHP

[Dirk-Willem van Gulik]

On 2 Jan 2009, at 10:21, Bruno Bonfils wrote:

> Le 2 janv. 09 à 11:11, Story Henry a écrit :
>
>> Great work Melvin. You are really raising the bar here on quality and
>
> Note if you really don't want to generate the key server side, there
> are some interfaces (browser dependants however) to
> create the key by the browser, and send the PKCS#10 (certificate
> request) to the server, which return the certificate. Using this way,
> you don't need to use PKCS#12 file.


What you want to do here (is that code in SVN somewhere - easier to  
hack :) is to add to your form*:

	<KEYGEN name=spkac challenge=notSoBeIt>

as to generate the key in the users browser - but never pass it tot  
the server.

And then in the code which parses the results create a file with  
something like:
	commonName = $name
	emailAddress = $email
	organizationName = Asemantics S.R.L.
	organizationalUnitName = $org, $group
	localityName = Roma stateOrProvinceName = Roma
	countryName = IT
	SPCAK = $spkac
Where each of the variables is the tainted/cleansed variable from your  
form. Set the subjectAltName either there or as
an ${ENV::} variable in openssl.cnf - and then do:
	openssl ca -config $DIR/openssl.cnf -spkac $SPK_DIR/$sha1 -out  
$OUT_DIR/$sha1 -days $days 2>&1
and you should be there.. Use 'req' and -set_serial $sha1 if you want  
to avoid keeping a list locally. Be sure to sent the resulting file  
back with
	print "Content-type: application/x-x509-user-cert\nContent- 
disposition: filename=\"$sha1.crt\"\n\n";
	cat $OUT_DIR/$sha1
and it gets re-joined with its private key in the browser.
Dw.

*: or alternatively hack something like EJBCA.org to do the same - so  
you can also cover IE and others with some ActiveX :)