---- '''Back to''' '''[[Software|Software Homepage]]''' - '''To ''' '''[[Software/Assessment|Software Assessment Homepage]]''' '''To ''' '''[[Software/Projects|Software Development Documentation Area]]''' ### Add your additional links here ---- = CSR Generator = == Motivation and Overview == Since [[FAQ/CSR|CSR]] creation was deprecated and phased out from current browser versions, creating a certificate signing request (CSR) has become quite complicated. There are several descriptions on how to create a CSR in the [[FAQ/CSR|CSR article mentioned before]], at least for Windows, all of them require to download and install some kind of software. While users of Unix variants and Mac OS usually have OpenSSL as part of the operating system, this project focuses on the need to provide an easy to use tool for windows users to create a public/private key pair, a CSR including the created public key and finally to package the public/private keypair with the CAcert created certificate into a key storage which can then be imported into the Windows key storage<> or the key databases of Firefox and Thunderbird. == Requirements == * Ideally there should be a single installation file, signed by a CAcert issued certificate. * If additional software has to be installed it should be well known/widely used and easy to install by users who are not used to do system administration. * Probably the goal should be a workflow like this: * The tool creates a public/private keypair * The tool creates a CSR and offers it to the user for Copy/Paste operation * The user copies that CSR and pastes it into the CAcert website while asking for a certificate * The CAcert website displays the created certificate for Copy/Paste operation * The user copies the certificate into the tool * The tool asks the user for a password and packages the keys and certificate in a PKCS#12/PFX file, which can be imported in Mozilla's and Windows' key storages * Optionally, '''and only if the user explicitly requests it'''<> certificate and keys should be stored as PEM files, for use in Apache, NGINX or related web servers. Note that in a second step this tool might be extended to use the [[Software/Projects/ACME protocol|ACME protocol]] to create the certificate on the CAcert website with much less user interaction! == Ideas == There are many possible approaches to this problems, to list a few of them: * Use !JavaScript to do the job in a browser: [[https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API|Web Crypto API]] and/or maybe [[https://pkijs.org/]] * Use your preferred programming environment to create an EXE file or an MSI installer file to do the job * Use Window's Power Shell and/or Windows' certreq.exe to create a CSR with OS tools. A search engine returned lots of hits hits, some examples are [[https://4sysops.com/archives/create-a-certificate-request-with-powershell/]] and [[https://www.namecheap.com/support/knowledgebase/article.aspx/9854/14/how-to-generate-a-csr-code-on-a-windowsbased-server-without-iis-manager/]]. This might be an elegant solution because, as a script language, Power Shell can easily be reviewed. And all necessary tools are included in not too old Windows version * Implement the [[Software/Projects/ACME protocol|ACME protocol]] for CAcert and let a [[https://letsencrypt.org/docs/client-options/|standard tool]] do the job. I guess that this is more work, so it probably is the second step, but maybe on closer inspection this turns out to be less complicated than expected? The !JavaScript approach has been followed on [[https://secure.convey.de/publish/ted/TestPKI.html]]. The remaining problem is the final step to create a PKCS#12 file. Though such a file can be created, the available algorythms are not compatible to Mozilla's import process. The implementation is based on an adapted PKI.js library<> = Footnotes = <> ---- ### Maybe add additional categories here . CategorySoftware . CategorySoftwareProjects