Good questions and similar to what is on my mind. Please let me know if you get any good answers to these questions.
From: Ted Byers Sent: Saturday, July 28, 2012 12:15 PM To: openssl-users@openssl.org Subject: client server management of client SSL certificates I am familiar with basic usage of openssl to make certificates, but what I am unclear about is how one has a CA (certificate authority) on a server, for a given organization, and an RA (registration authority) using a different server in that organization, and then supports creating client certificates on a given user's machine once that user has logged into a secure website and passed a series of challenges and responses established between the RA and the user. And perhaps, someone can shed a little light on whether there is anything more between an RA and CA than simply a message from the RA that a given person, who gives the right responses to these challenge questions, ought to receive a certificate. How does one do that in a manner that is user friendly (i.e. without requiring the user to install openssl on his personal computer or mobile device, or having the user's private key transmitted over the web)? I would suppose that the key would remain confidential once the user has established a SSL connection with the server, so it could be made using a cgi script that in turn uses openssl to make the csr and then send the private key and certificate to the user. But then, the user would have to figure out how and where to install the key and certificate, and there is the question of whether or not the client's private key ought to ever be on the server. I know people who are 'technically challenged' (you could almost describe them as Luddites, except that they are addicted to their smart phones and other assorted mobile devices - to the point they deserve the tickets they'd get while using them when driving) who could benefit from use of a combination of server and client certificates, if somehow I could establish a web server that makes it as easy for them to get their client certificates as it is for them to browse amazon.com to buy a book. Anything beyond that and their eyes would start to glaze over when you start giving them instructions on how to proceed. And we really want to avoid the glazed eye phenomenon! And we also want to avoid having a company's MIS or his designated assistant, having to create and install these certificates on every mobile device (smart phone, laptop, &c.) the company's staff have, or having to go to each of their homes to install the keys and certificates on their home computers. Is there a JavaScript solution that handles creating the private key and CSR in the client's browser, and transmits the CSR to the server so it can create and sign the certificate which then sends it back to the browser so a different JavaScript function can handle installing both the key and certificate in the right places, and back up both to a 'safe' place? If so, is there a variant which is certain to work in all browsers and that can install the certificates in all the browsers installed on the clients machine as well as in all the email clients installed on the clients machine (so the user can encrypt or sign, or both, any document, and check signatures and decrypt documents, regardless of whether transmitted via email or the web)? Any information that can be provided would be greatly appreciated. Thanks Ted
