generating RSA keys through the browser

Question

HTML5 has the element that sends an SPKAC to the server (as I understand it).

But how do you do it in IE?

One CA's websites gives me the following prompt:

This Web site is attempting to perform a digital certificate operation on your behalf:

https://www.startssl.com/

You should only allow known Web sites to perform digital certificate operations on your behalf.
Do you want to allow this operation?

That's cool and all but how do they do it and how do I make it so a website of mine can generate private keys for people? IE doesn't support the keygen element.

related [Benefits and drawbacks of the keygen element](http://security.stackexchange.com/q/27955/396) — makerofthings7, Mar 26 '13 at 14:21
See also: [Can IE process the Keygen element like Chrome does](http://security.stackexchange.com/q/26148/396) — makerofthings7, Mar 26 '13 at 14:22
[Alternatives to Keygen](http://security.stackexchange.com/q/27961/396) — makerofthings7, Mar 26 '13 at 14:23

score 7 · Accepted Answer · edited Mar 30 '21 at 06:02

7

With Internet Explorer, for this kind of job, you are supposed to use the CertEnroll API (in pre-Vista Windows, this was called XEnroll); it can be used from Javascript. This implies Javascript to detect the type of browser.

Microsoft says that lack of support for <keygen> is "by design".

edited Mar 30 '21 at 06:02

Glorfindel

2,235
6
18
30

answered Mar 26 '13 at 12:33

Thomas Pornin

320,799
57
780
949

2

*by design* == it's not easy for us to add a meatball to our spaghetti – Qix - MONICA WAS MISTREATED May 13 '15 at 16:21

score 0 · Answer 2 · answered Mar 30 '21 at 17:08

When this question was asked in 2013, we did not have the Web Crypto API, but now we do. The SubtleCrypto.generateKey() function can be used to generate RSA key pairs on the client side, in javascript. See https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey for more info.

generating RSA keys through the browser

2 Answers2

Linked