In the world of PKI and SSL some certificate authorities use browsers such as Internet Explorer or Firefox to automatically generate keypairs to be used with Email-S/MIME Code Signing or Client Authentication Certificates. Not all Browsers have the capability to generate these keypairs due to licensing restrictions of the <keygen> and ActiveX controls that perform keypair creation in conjunction with operating systems restrictions.
The HTML <keygen> is a licensed element used to facilitate generation of key material, and submission of the public key as part of an HTML form. This mechanism is designed for use with Web-based certificate management systems.
Firefox is able to utilize the <keygen> and generate automatic keypairs because Firefox uses its own Keystores that do not interfere with operating systems such as Windows or Mac.
If Firefox was to use <keygen> to create keypairs directly into Windows OS keystores that could end up being a potential security concern as it could allow access to certain parts of the Windows operating system. Mozilla’s open sourced code and browser is not allowed by Microsoft to access Windows operating systems keystores. Firefox using its own keystore is a loophole.
ActiveX is a software framework created by Microsoft and is used by Internet Explorer, Visual Studio, Microsoft Office, etc.. that communicates, generates, and configures keypairs directly on Windows operating systems. Since this is owned by Microsoft they can do whatever they want on their own operating system. Microsoft’s new focus with their new Edge browser is security. Because of this Edge does not support ActiveX controls due to potential issues in security as stated with the Firefox <keygen> example, but is still supported in legacy Internet Explorer browsers.
BROWSER SUPPORT :
1. Microsoft Internet Explorer: IE uses the CertEnroll/XEnroll ActiveX control to generate and install certificates through the browser.
2. Microsoft Edge: Neither the <keygen> nor the CertEnroll/XEnroll ActiveX controls are present in Microsoft’s new Edge browser.
3. Mozilla Firefox: This browser supports key generation and certificate installation by default through the <keygen> function and special certificate file type handling.
Note: While Firefox supports in-browser certificate installation, it uses its own keystore to store the certificate and is not shared with other applications. Installing through Internet Explorer will install the certificate to the Windows Certificate Manager which is used by other applications such as Microsoft Office, Outlook, and Google Chrome. For this reason, Internet Explorer is recommended.
If Firefox is used to generate the keypair then you will have to export the certificate from the Firefox keystore to then apply the keypair pfx/p12 file to your operating system or application that requires it. For instruction on how to perform this review the article How To Export A Certificate From Firefox?
4. Google Chrome: Chrome uses Windows keystores it is not allowed to create keypairs that access the Windows operating system due to licensing and operating system restrictions states in the previous Firefox example. While the keygen function can manually be enabled, the custom filetype handling is still removed, therefore creation and installation of keypair through Google Chrome is not supported.
For more information on Firefox or Edge/Internet Explorer browser check out the following links:
Mozilla Developer – <keygen>
Windows IT Pro Center – Microsoft Edge Group Policy configuration options
Senior Lead IT Engineer
Be sure to Subscribe!!