There are a number of ways of making certificates.
In Browser Support
The easiest method to generate a certificate for the end user is to have the Social Web server support the creation of certificates by having the browser create the public/private key, and send the public key to the server, which can then create a WebID Certificate from that public key. The Server will have knowledge of the users' WebID as it will be in charge of publishing the RDF, so it is in the best position to create the certificate. The Browser can keep hold of the private key without revealing it to the server.
There are two ways of doing this. The KeyGen method, now standard in HTML5, was available for most desktop browsers other than Internet Explorer since at least 2000. Microsoft's Internet Explorer had its own ActiveX based method of achieving the same thing.
As the following video illustrates, creating a WebID Certificate is then as easy as clicking a button:WebID Creation in 4 minutes . It shows how one can even use the same WebIDs in multiple browsers without having to copy the certificate over.
The video WebID in Browsers explains how keygen works, and comes with a UML seuqence diagram showing how Certificate creation is done.
Code for parsing the Key results can be found
- in java: in the keygen module of the foafssl github repository
Internet Explorer doesn't support the
keygen compatibility to IE. It's based on
IEKeygen.js Bruno Harbulot wrote for Clerezza, but it's a little bit more generic.
What must be changed
It should require just a conditional include on the client side:
On the server side PKCS10 support must be added, which is in our case more or less just a different packaging of the public key. The PHP code in the repository is using OpenSSL. If you look at the function
OpenSslCertificateBuilder.php you will see it's nearly the same code.
The drawback of this solution
Microsoft doesn't trust it's own ActivceX components. This means the page must be in the trusted zone or the user has to change initialization of untrusted ActiveX components settings from disabled to ask.
This was only tested with Windows 7. Feedback for other Versions is welcome.
On page load it searches for a
keygen element and adds a combobox for the key length selection after the
keygen element to the DOM. The key length will be written to the
keylength attribute in the keygen element. Also the
action attribute in the form element gets renamed to
ekaction to avoid submitting the form. The
.serialize() function is used to get the form data in www-form-urlencoded format and Ajax is used to send the data to the server. Than the response is forwarded to the ActiveX component. And finally the certificate is installed in the Windows Keystore.
OSX Keychain support
The following blog WebID On OSX shows how to do this using the Apple Keychain. This is useful for people who are a little technically savy, and who want to write out the RDF for the WebID Profile by hand.