Creating Certificates

From WebID Wiki
Jump to: navigation, search

There are a number of ways of making certificates.

In Browser Support

The easiest method to generate a certificate for the end user is to have the Social Web server support the creation of certificates by having the browser create the public/private key, and send the public key to the server, which can then create a WebID Certificate from that public key. The Server will have knowledge of the users' WebID as it will be in charge of publishing the RDF, so it is in the best position to create the certificate. The Browser can keep hold of the private key without revealing it to the server.

There are two ways of doing this. The KeyGen method, now standard in HTML5, was available for most desktop browsers other than Internet Explorer since at least 2000. Microsoft's Internet Explorer had its own ActiveX based method of achieving the same thing.

As the following video illustrates, creating a WebID Certificate is then as easy as clicking a button:WebID Creation in 4 minutes . It shows how one can even use the same WebIDs in multiple browsers without having to copy the certificate over.


The video WebID in Browsers explains how keygen works, and comes with a UML seuqence diagram showing how Certificate creation is done.

Code for parsing the Key results can be found

Internet Explorer

Internet Explorer doesn't support the keygen element out of the box. The only way to generate certificate request in the browser is the X509Enrollment ActiveX component. ExplorerKeygen is a JavaScript class which brings nearly full keygen compatibility to IE. It's based on IEKeygen.js Bruno Harbulot wrote for Clerezza, but it's a little bit more generic.

What must be changed

It should require just a conditional include on the client side:

<!--[if IE]>
 <script type="text/javascript" src="explorer-keygen.js"></script>

On the server side PKCS10 support must be added, which is in our case more or less just a different packaging of the public key. The PHP code in the repository is using OpenSSL. If you look at the function buildCertificateSpkac and buildCertificatePkcs10 in OpenSslCertificateBuilder.php you will see it's nearly the same code.

The drawback of this solution

Microsoft doesn't trust it's own ActivceX components. This means the page must be in the trusted zone or the user has to change initialization of untrusted ActiveX components settings from disabled to ask.

This was only tested with Windows 7. Feedback for other Versions is welcome.

In detail

On page load it searches for a keygen element and adds a combobox for the key length selection after the keygen element to the DOM. The key length will be written to the keylength attribute in the keygen element. Also the action attribute in the form element gets renamed to ekaction to avoid submitting the form. The submit button is replaced with another button that calls some JavaScript code. If the newly created button is pressed, the JavaScript code will call the ActiveX component and create a new certificate signing request. For the CSR a new hidden input field will be created. The jQuery .serialize() function is used to get the form data in www-form-urlencoded format and Ajax is used to send the data to the server. Than the response is forwarded to the ActiveX component. And finally the certificate is installed in the Windows Keystore.


The JavaScript code is MIT licensed, the PHP code GPL 3.

Subversion repository

Other Methods

OSX Keychain support

The following blog WebID On OSX shows how to do this using the Apple Keychain. This is useful for people who are a little technically savy, and who want to write out the RDF for the WebID Profile by hand.