12:54 p.m.
How are people using the Certificates that they generate from the
Browser? Say I use the code at
/ca/ee/ca/profileSelect?profileId=caUserCert
To generate a new Cert Signing Request, the key pair for that CSR is in
my browsers NSS Database, but in order to even get to this point, I need
to have a Certificate allowing me to talk to the server, so I am
guessing I can't do this from the end users browser. I'm guessing the
workflow goes something like this:
1. A new member of an organization needs a certificate, so they go to
their supervisor
2. Supervisor fills out the form above and submites the CSR.
3. Someone in higher echelons approves the request and generates the
corresponding certificate
4. The Supervisor then gets the certificate to the end user.
How does the private key get to the end users browser? Does it go by
way of the CRM subsystem, and, if so, isn't there a chicken/egg problem
in getting it?
12:58 p.m.
On 09/19/2011 10:54 AM, Adam Young wrote:
How are people using the Certificates that they generate from the
Browser? Say I use the code at
/ca/ee/ca/profileSelect?profileId=caUserCert
You have to use the "end entity secure/non-secure" ports to do this...
To generate a new Cert Signing Request, the key pair for that CSR is
in my browsers NSS Database, but in order to even get to this point, I
need to have a Certificate allowing me to talk to the server, so I am
guessing I can't do this from the end users browser. I'm guessing the
workflow goes something like this:
1. A new member of an organization needs a certificate, so they go to
their supervisor
2. Supervisor fills out the form above and submites the CSR.
3. Someone in higher echelons approves the request and generates the
corresponding certificate
4. The Supervisor then gets the certificate to the end user.
How does the private key get to the end users browser? Does it go by
way of the CRM subsystem, and, if so, isn't there a chicken/egg
problem in getting it?
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
1:07 p.m.
On 09/19/2011 01:58 PM, Chandrasekar Kannan wrote:
On 09/19/2011 10:54 AM, Adam Young wrote:
> How are people using the Certificates that they generate from the
> Browser? Say I use the code at
>
> /ca/ee/ca/profileSelect?profileId=caUserCert
You have to use the "end entity secure/non-secure" ports to do this...
So does that mean that anyone can generate a signing request this way?
>
> To generate a new Cert Signing Request, the key pair for that CSR is
> in my browsers NSS Database, but in order to even get to this point,
> I need to have a Certificate allowing me to talk to the server, so I
> am guessing I can't do this from the end users browser. I'm guessing
> the workflow goes something like this:
>
> 1. A new member of an organization needs a certificate, so they go
> to their supervisor
> 2. Supervisor fills out the form above and submites the CSR.
> 3. Someone in higher echelons approves the request and generates the
> corresponding certificate
> 4. The Supervisor then gets the certificate to the end user.
>
>
> How does the private key get to the end users browser? Does it go by
> way of the CRM subsystem, and, if so, isn't there a chicken/egg
> problem in getting it?
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
1:25 p.m.
On 09/19/2011 11:07 AM, Adam Young wrote:
On 09/19/2011 01:58 PM, Chandrasekar Kannan wrote:
> On 09/19/2011 10:54 AM, Adam Young wrote:
>> How are people using the Certificates that they generate from the
>> Browser? Say I use the code at
>>
>> /ca/ee/ca/profileSelect?profileId=caUserCert
>
> You have to use the "end entity secure/non-secure" ports to do this...
So does that mean that anyone can generate a signing request this way?
Yeah - as long as they know the host:port - a request can be generated -
and submitted to the CA.
Agent has the approval authority.
>
>
>>
>> To generate a new Cert Signing Request, the key pair for that CSR is
>> in my browsers NSS Database, but in order to even get to this point,
>> I need to have a Certificate allowing me to talk to the server, so I
>> am guessing I can't do this from the end users browser. I'm
>> guessing the workflow goes something like this:
>>
>> 1. A new member of an organization needs a certificate, so they go
>> to their supervisor
>> 2. Supervisor fills out the form above and submites the CSR.
>> 3. Someone in higher echelons approves the request and generates
>> the corresponding certificate
>> 4. The Supervisor then gets the certificate to the end user.
>>
>>
>> How does the private key get to the end users browser? Does it go
>> by way of the CRM subsystem, and, if so, isn't there a chicken/egg
>> problem in getting it?
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
4851
days inactive
4851
days old
3 comments
2 participants
participants (2)
-
Adam Young -
Chandrasekar Kannan