Projects:

nl.nikhef.slcshttps

Method used by the IMDI browser to obtain a certificate, see image below

(mostly) User point of view:

User clicks/chooses initialization option
java browser starts a webbrowser...
which via the online CA at SURFnet...
redirects webbrowser to WAYF (Where Are You From) server where user chooses his Identity Provider.
User logs in at IdP
Webbrowser redirects back to online CA. User closes webbrowser.
After confirmation by user, java browser now connects itself to online CA
java browser retrieves certificate from online CA and the user can use it to authenticate with client side certificates.

Technical overview:

Initialization procedure:
1. javabrowser creates a per-session keypair (i.e. never saved to disk).
2. javabrowser creates a certificate signing request (CSR)
.
javabrowser starts a webbrowser...
the URL is the online CA + a hash of the CSR.
Now the standard Shibboleth trajectory starts: Online CA redirects the browser to a WAYF where the user chooses his IdP.
User logs in at his/her IdP.
Webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth, and the Online CA knows that the user, who send the CSR hash, is authorized. The user now tells the javabrowser that (s)he is finished with the webbrowser.
The javabrowser sends the full CSR to the Online CA.
The Online CA:
1. calculates the hash
2. checks whether it is known/corresponds to a authorized user.
3. if yes, signs the CSR
4. sends a HTTP reply with the signed certificate.
The signed certificate is stored inside the javabrowser and will be offered as client side certificate upon opening a HTTPS connection.

Talks:

Note that you also need the BouncyCastle provider. Direct link to the JDK1.5 jarfile