search

sipb / certassist

JavaScript interface to ca.mit.edu and ca.csail.mit.edu
https://certassist.mit.edu/
MIT License
10 stars 3 forks source link

Allow generating a key and CSR offline #3

Closed bbarenblat closed 5 years ago

bbarenblat commented 5 years ago

It would be nice if CertAssist let me manually provide a CSR, rather than generating a key and CSR in the browser.

Use case: I don’t want my key material to ever touch a machine that’s connected to the internet. I have a hardware PKCS#11 provider, but I don’t trust the random number generator on the device enough to generate a long-lived keypair. I’d like to generate my keypair on an offline machine, take the certificate to a connected machine, get it signed, take the signed certificate back to the offline machine, and then load everything onto the PKCS#11 device from there.

If I were implementing this, I’d do it as a new option in the “Generate private key” menu – “offline and upload CSR”. Selecting it would give appropriate openssl command lines to generate a key and export a CSR, and it would expose an upload button.

andersk commented 5 years ago

ca.mit.edu needs a slightly different interaction: instead of a CSR, we must provide an SPKAC, which is an MD5+RSA signed struct of the public key and a server-provided challenge string. It can be generated with the openssl spkac command. Would that work for your use case?

bbarenblat commented 5 years ago

I think that would work, provided there aren’t any aggressive timeouts in play. (It would probably take a few minutes to move the challenge onto the offline machine.)

andersk commented 5 years ago

Give this a try and see if it works.