Alternatives to HTML's deprecated <keygen> for client certs?
In this post in the chromium forum there are alternatives mentioned
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
WebCrypto is supported by many browsers: [link]
And you can use openpgp.js and other solutions. [openpgp.js]
Here are some examples.
You can also generate a CSR: https://www.w3.org/community/webcryptoapi/draft/#generatecertrequest-method
Some library for generating CSRs: https://pkijs.org/
Here is an example with PKIjs for generating selfsigned X509 certs + the keypairs:
https://github.com/infotechinc/create-x509-certificate
The generateKey()
function creates keypairs.
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#SubtleCrypto-method-generateKey
The WebCrypto API is currently not an alternative for the keygen tag, as confirmed by the WebCrypto API spec:
This API, while allowing applications to generate, retrieve, and manipulate keying material, does not specifically address the provisioning of keys in particular types of key storage, such as secure elements or smart cards. This is due to such provisioning operations often being burdened with vendor-specific details that make defining a vendor-agnostic interface an unsuitably unbounded task. Additionally, this API does not deal with or address the discovery of cryptographic modules, as such concepts are dependent upon the underlying user agent and are not concepts that are portable between common operating systems, cryptographic libraries, and implementations.
In case you already have a <keygen>
-based setup and want to keep using it, I created a project which attempts to implement a JavaScript polyfill for <keygen>
:
https://github.com/CyberShadow/keygen.js