X.509 Certificate generation and keygen

English on March 25th, 2020 No Comments

Background: In SSOCircle Public IDP we provide client certificates as a mean of strong authentication. For more than 10 years we offer PKI functionality to ease the generation of private/public key pairs as well as generate and enroll X.509 certificates. In the past most browsers supported HTML keygen tag or CertEnroll / Xenroll Active X to complete the key generation tasks.

Back in 2016 we blogged on the vanishing support of the <keygen> HTML element in Chrome Browser as of version 49. From that time keygen was only working after modifying some privacy settings.

As of today, the current support across the major browsers has almost completely faded away. The following table lists the status as of now (for desktop OS).

firefox Firefox keygen support ended as of version 69 (September 2019)
chrome Chrome keygen support ended as of version 57 (March 2017)
Limited support as of version 49
edge Edge no support for keygen or CertEnroll
internet-explorer IE supports CertEnroll Active X
safari Safari 1.2+ keygen supported
opera Opera 3+ supports keygen


We have recently got a lot of feedback about the missing PKI functionality in the SSOCircle public IDP. From the beginning we provided a #PKCS10 certificate creation form to enroll and bind the certificate to the user. Creating keys manually with the correct subject was tedious and error prone. Thanks to our user Ming Yu who provided a tutorial of how to enroll the certificate and avoid pitfalls, many users were able to manage that part. But many users were still missing the automatic enrollment by just simply clicking the “keygen” button.

So, what’s next: We have now modified the fuctionality to generate RSA key pairs, create and enroll the certificate by the virtue of a click … and a manual import step into the certificate manager …
As #PKCS12 files are supported by all certificate managers/browsers/OS we think we provide a way which supports all.
Details can be read here. Go and test it at the Public IDP

No Responses to “X.509 Certificate generation and keygen”

Leave a Reply

You must be logged in to post a comment.