Difference between revisions of "JGridstart/Browser certificate installation"

From PDP/Grid Wiki
Jump to navigationJump to search
(initial version)
 
(add template)
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
Installing a certificate into a browser can be done in a lot of ways, some of which are cumbersome for the user, others are a lot of work to implement for the developer. jGridStart is a Java application, so the starting point is to install a client certificate and private key into browsers' keystores. Some approaches are discussed below.
+
{{JGridstart}}Installing a certificate into a browser can be done in a lot of ways, some of which are cumbersome for the user, others are a lot of work to implement for the developer. [[JGridstart|jGridstart]] is a Java application, so the starting point is to install a client certificate and private key from Java into browsers' keystores.
 +
 
 +
It appears that each web browser either uses the system's keystore (like Internet Explorer), or has its own keystore (like Firefox). Each type of keystore then needs an implementation to access it. This has currently been implemented in jGridstart using the browsers <code>[http://jgridstart.nikhef.nl/javadoc/index.html?nl/nikhef/jgridstart/install/package-summary.html install]</code> package. This takes care of detecting available web browsers, opening web pages in them, and installing certificates. <code>browsertool</code> is a program that lets you do all this from the command-line (see jGridstart source code).
 +
 
 +
==Other approaches==
 +
Some other approaches for installing certificates are discussed below. This section is incomplete and kept here for reference only.
 +
 
 +
{| border="1" style="text-align:center"
 +
! !! Mozilla/Firefox !! Internet Explorer !! Safari !!
 +
|-
 +
! manual import of PKCS#12
 +
| V || V || V    || ''cumbersome for user''
 +
|-
 +
! open PKCS#12 in browser
 +
|  || V || ?    ||
 +
|-
 +
! pk12util
 +
| V ||  || ?    || ''browser must be closed''
 +
|-
 +
! cryptext
 +
|  || V ||      ||
 +
|-
 +
! XPCOM
 +
| V ||  ||      ||
 +
|-
 +
! certtool
 +
|  ||  || V    ||
 +
|}
 +
 
 +
===Manual import of PKCS#12 file within browser===
 +
This is a method that always works: jGridstart exports a PKCS#12 file which the user imports from the browser. This can be a fairly complex procedure (e.g. Firefox has the certificate manager buried deeply into the advanced options). While fine as a fallback method (e.g., for less common browsers) it is not very convenient.
  
 
===Open PKCS#12 file with browser===
 
===Open PKCS#12 file with browser===
When a PKCS#12 file containing the private key and certificate is opened with a web browser, it would be sensible to install that into the browser's keystore. This probably works on Windows, but Mozilla Firefox doesn't and handles it as an ordinary downloaded file. When served over HTTP instead of opening a local file with mimetype <tt>application/x-x509-user-cert</tt>, Firefox only imports the certificate if a private key is already present in its keystore (so it would only work with the KeyGen tag). [http://www.nabble.com/Problem-with-Content-type:application-x-x509-user-cert-td18725031.html]  
+
jGridstart saves a PKCS#12 file and feeds it to the browser as a local file. This probably imports the data into the system certificate store on Windows, but Mozilla Firefox doesn't and handles it as an ordinary downloaded file. When served over HTTP instead of opening a local file with mimetype <tt>application/x-x509-user-cert</tt>, Firefox only imports the certificate if a private key is already present in its keystore (so it would only work with the KeyGen tag). [http://www.nabble.com/Problem-with-Content-type:application-x-x509-user-cert-td18725031.html] [https://developer.mozilla.org/en/NSS_Certificate_Download_Specification] [http://www.jibble.org/miniwebserver/]
 +
 
 +
===<tt>pk12util</tt>===
 +
Mozilla Firefox (and other programs based on XULRunner) can query and modify the keystore using the command-line tool <tt>pk12util</tt>. This is installed by default on Linux but not Windows. When <tt>pk12util</tt> runs, the browser must be closed or the keystore is overwritten when it closes. The Windows keystore has a similar tool, iirc. [http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html]
 +
 
 +
Before running pk12util the browser must be closed. This can be tested by looking at the [http://kb.mozillazine.org/Profile_in_use lock file] (on Linux, at least, <tt>lock</tt> is present only when the Profile is running). An alternative to check if the 'default' Firefox profile is running is by using <tt>firefox -remote 'ping()'</tt>, which will only fail if it's not running.
 +
 
 +
===<tt>cryptext</tt>===
 +
Microsoft cryptography extensions for managing the system's certificate store. It can be accessed in several ways:
 +
* using <tt>cryptext.dll</tt>, e.g. with <tt>rundll32</tt> [http://www.robvanderwoude.com/unattended.php#Encryption]
 +
* using <tt>certmgr.exe</tt>, part of Windows SDK [http://msdn.microsoft.com/en-us/library/e78byta0%28VS.80%29.aspx]
 +
* using the [http://msdn.microsoft.com/en-us/library/aa376007(VS.85).aspx CEnroll] ActiveX object
 +
* ... other?
 +
 
 +
===XPCOM===
 +
The API of Mozilla programs can be accessed using XPCOM, also from Java. This requires finding the program installation directory and locating the jar. Of course then the ABI (32bit/64bit) of Java and Firefox must be equal, but it should be possible to update the keystore when the browser is running. Only applicable for Mozilla-based products, of course. [https://developer.mozilla.org/en/JavaXPCOM] [http://wirestorm.net/blog/category/java/]
 +
It does not seem that JavaXPCOM is distributed with Firefox, so it would be quite a hassle to use it in practice.
 +
 
 +
===certtool===
 +
[http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/certtool.1.html certtool] is a command-line tool (also shown [http://computing.fnal.gov/software/MacOSX/importingDOEcerts.html here])
 +
 
  
 
==Related==
 
==Related==
 
* [http://ejbca.sourceforge.net/sensornet/CertificateInfrastructure.html SensorNet Public/Private Key Certificate Infrastructure]
 
* [http://ejbca.sourceforge.net/sensornet/CertificateInfrastructure.html SensorNet Public/Private Key Certificate Infrastructure]
 
* [https://www.racf.bnl.gov/docs/howto/grid/getcertweb DOEgrid] enrollment
 
* [https://www.racf.bnl.gov/docs/howto/grid/getcertweb DOEgrid] enrollment
 +
* [https://addons.mozilla.org/en-US/firefox/addon/4471 Key Manager] Firefox extension that does most PKI stuff in a GUI

Latest revision as of 12:38, 29 March 2012

<sidebar>

  • jGridstart
    • JGridstart|Home
    • JGridstart/Help|Help
    • JGridstart/Support|Support
  • jGridstart for ...
    • JGridstart/Certificate_Authorities|Certificate Authorities
    • JGridstart/Developers|Developers

</sidebar>Installing a certificate into a browser can be done in a lot of ways, some of which are cumbersome for the user, others are a lot of work to implement for the developer. jGridstart is a Java application, so the starting point is to install a client certificate and private key from Java into browsers' keystores.

It appears that each web browser either uses the system's keystore (like Internet Explorer), or has its own keystore (like Firefox). Each type of keystore then needs an implementation to access it. This has currently been implemented in jGridstart using the browsers install package. This takes care of detecting available web browsers, opening web pages in them, and installing certificates. browsertool is a program that lets you do all this from the command-line (see jGridstart source code).

Other approaches

Some other approaches for installing certificates are discussed below. This section is incomplete and kept here for reference only.

Mozilla/Firefox Internet Explorer Safari
manual import of PKCS#12 V V V cumbersome for user
open PKCS#12 in browser V ?
pk12util V ? browser must be closed
cryptext V
XPCOM V
certtool V

Manual import of PKCS#12 file within browser

This is a method that always works: jGridstart exports a PKCS#12 file which the user imports from the browser. This can be a fairly complex procedure (e.g. Firefox has the certificate manager buried deeply into the advanced options). While fine as a fallback method (e.g., for less common browsers) it is not very convenient.

Open PKCS#12 file with browser

jGridstart saves a PKCS#12 file and feeds it to the browser as a local file. This probably imports the data into the system certificate store on Windows, but Mozilla Firefox doesn't and handles it as an ordinary downloaded file. When served over HTTP instead of opening a local file with mimetype application/x-x509-user-cert, Firefox only imports the certificate if a private key is already present in its keystore (so it would only work with the KeyGen tag). [1] [2] [3]

pk12util

Mozilla Firefox (and other programs based on XULRunner) can query and modify the keystore using the command-line tool pk12util. This is installed by default on Linux but not Windows. When pk12util runs, the browser must be closed or the keystore is overwritten when it closes. The Windows keystore has a similar tool, iirc. [4]

Before running pk12util the browser must be closed. This can be tested by looking at the lock file (on Linux, at least, lock is present only when the Profile is running). An alternative to check if the 'default' Firefox profile is running is by using firefox -remote 'ping()', which will only fail if it's not running.

cryptext

Microsoft cryptography extensions for managing the system's certificate store. It can be accessed in several ways:

  • using cryptext.dll, e.g. with rundll32 [5]
  • using certmgr.exe, part of Windows SDK [6]
  • using the CEnroll ActiveX object
  • ... other?

XPCOM

The API of Mozilla programs can be accessed using XPCOM, also from Java. This requires finding the program installation directory and locating the jar. Of course then the ABI (32bit/64bit) of Java and Firefox must be equal, but it should be possible to update the keystore when the browser is running. Only applicable for Mozilla-based products, of course. [7] [8] It does not seem that JavaXPCOM is distributed with Firefox, so it would be quite a hassle to use it in practice.

certtool

certtool is a command-line tool (also shown here)


Related