The HTML <keygen> element exists to facilitate generation of key material, and submission of the public key as part of an HTML form.
This mechanism is designed for use with Web-based certificate management systems.
It is expected that the <keygen> element will be used in an HTML form along with other information needed to construct a certificate request, and that the result of the process will be a signed certificate.
The support for the non-standard <keygen> HTML element and HTMLKeygenElement DOM interface has been removed with Firefox 69.
Once a user has been authenticated, we will be generating the key pair / CSR in memory and submit it for signing. Once we receive the cert, we will package it up with the matching private key as a password protected PKCS12 file and show it in a webpage for the user to download and install.
Once the p12 file is available on the page, we would destroy all key material and cert so, the user only has 1 shot at downloading the cert. If they do not, they will have to re-enroll for the cert.
Firefox 69 and above for both Windows and MacOS will work fine for certificate issuance. It will deliver a password-protected certificate in PKCS12 format that can be downloaded and manually installed on Firefox, or any browser/platform that has browser caching enabled.
Certificate issuance via Cloud Self-service portal, Enterprise Gateway use cases and normal user flows are supported.
When picking up a certificate:
When downloading the certificate:
Before you start to issue a certificate, please confirm the use of “Web (Session) Storage” in Firefox. To verify this, follow these instructions:
For example, a normal user client authentication certificate issuance from Firefox 72 browser: