Motivation and Overview
Since CSR creation was deprecated and phased out from current browser versions, creating a certificate signing request (CSR) has become quite complicated. There are several descriptions on how to create a CSR in the CSR article mentioned before, at least for Windows, all of them require to download and install some kind of software.
While users of Unix variants and Mac OS usually have OpenSSL as part of the operating system, this project focuses on the need to provide an easy to use tool for windows users to create a public/private key pair, a CSR including the created public key and finally to package the public/private keypair with the CAcert created certificate into a key storage which can then be imported into the Windows key storage1 or the key databases of Firefox and Thunderbird.
- Ideally there should be a single installation file, signed by a CAcert issued certificate.
- If additional software has to be installed it should be well known/widely used and easy to install by users who are not used to do system administration.
- Probably the goal should be a workflow like this:
- The tool creates a public/private keypair
- The tool creates a CSR and offers it to the user for Copy/Paste operation
- The user copies that CSR and pastes it into the CAcert website while asking for a certificate
- The CAcert website displays the created certificate for Copy/Paste operation
- The user copies the certificate into the tool
- The tool asks the user for a password and packages the keys and certificate in a PKCS#12/PFX file, which can be imported in Mozilla's and Windows' key storages
Optionally, and only if the user explicitly requests it2 certificate and keys should be stored as PEM files, for use in Apache, NGINX or related web servers.
Note that in a second step this tool might be extended to use the ACME protocol to create the certificate on the CAcert website with much less user interaction!
There are many possible approaches to this problems, to list a few of them:
- Use your preferred programming environment to create an EXE file or an MSI installer file to do the job
Use Window's Power Shell and/or Windows' certreq.exe to create a CSR with OS tools. A search engine returned lots of hits hits, some examples are https://4sysops.com/archives/create-a-certificate-request-with-powershell/ and https://www.namecheap.com/support/knowledgebase/article.aspx/9854/14/how-to-generate-a-csr-code-on-a-windowsbased-server-without-iis-manager/. This might be an elegant solution because, as a script language, Power Shell can easily be reviewed. And all necessary tools are included in not too old Windows version
Implement the ACME protocol for CAcert and let a standard tool do the job. I guess that this is more work, so it probably is the second step, but maybe on closer inspection this turns out to be less complicated than expected?
The chromium based browsers like Chrome, Edge and Opera all use the Windows key storage, as well as Microsoft's Internet Information Server (1)
Apache requires that the private key is stored unencrypted in the PEM file! Such a file must not be created accidentially! (2)
PKI.js is intended to be used in a Node.js environment and can not easily be used in a browser. (3)