[Freeipa-devel] Mozilla Specific User Certificate Generation code:

[Adam Young]

It is possible to generate a Certificate signing request from the 
browser, if we use Mozilla specific code.  I've mildly hacked the 
Mozilla sample code to work with JQuery and to display the CSR to the 
screen, instead of sending it right to the server.

I'd see this working something like this:

1.  add the certificate attribute to the user plugin.
2.  On the user page, if the principal of the user selected matches the 
kerberos principal for the logged user, show the certificate control
3.  The certificate control allows the user to request a new certificate.
4.  If the user has a certificate, the certificate control allow  the 
user to download the certificate.


I have to look into the details, but the certificate shoud only be 
useable by default in the browser that originally requested it.  
However, it is fairly easy to export the certificate, along with the 
primary keys that generated its CSR, such that it would be usable 
elsewhere: For example https://ca.cern.ch/ca/Help/?kbid=040111

This seems like fairly simple to implement.  We would not even have to 
extend the API.  We keep the certificate request separate from the user 
until it is signed, and then add it to the user object.  Thus it would 
be created as a side effect of:

  ipa cert-request --add --principal=abradley at DEV.EXAMPLE.COM abradley.csr




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111003/bfd89c2c/attachment.html>