Based on no information and failing tests on http://demo.webpki.org/keygen.jsp http://demo.webpki.org/mozkeygen using G1, I draw the conclusion that client-side certificates are not yet implemented.
Well, <keygen> seems to be partially implemented GUI-wise at least :-) I wonder if it is possible to get a contact with the persons that actually implement this code? The reason for that is that I'm in the process of establishing a standard for key provisioning that is particularly intenended for mobile phones. Neither <keygen>, generateCRMFRequest (), or CertEnroll have the functionality needed in order to make a phone into a generally useful security token because they all lack an ability to recognize the container type so that the issuer could for example verify that the client's container matches FIPS140-2: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf KeyGen2 already supports issuer-verifiable key-pair attestations which are equally usable for asymmetric key (PKI) deployment, as well as for downloading symmetric keys (shared secrets) into secure authenticated storage (AKA "smarter smart cards"): http://webpki.org/papers/keygen2/keygen2-key-attestation-1.pdf It is though more or less impossible to implement KeyGen2 without having a team involved since it affects the browser, the keystore and possibly even the kernel. The <keygen> tag was BTW, not adopted by the HTML5 team. Anders Rundgren
