View Issue Details

IDProjectCategoryView StatusLast Update
0001417Main CAcert Websitecertificate issuingpublic2018-02-10 10:06
ReporterWiesshundAssigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status confirmedResolutionopen 
PlatformPC Windows 10, IE11 Chrome FirefOSWindows 10 Pro 64bit, UbuntuOS VersionCurrent
Product Version2015 Q3 
Target VersionFixed in Version 
Summary0001417: Unable to generate client certificate
DescriptionUnable to generate client certificate
Clicking generate keypair in browser results in the error

"I didn't receive a valid Certificate Request, please try a different browser."

This happens in IE11, Edge, Chrome current version, and Firefox current version.
Steps To Reproducelog in to cacert.org
click client certificate
click new
check off wanted email address
click agree to terms
click generate keypair within browser

Immediately receive error "I didn't receive a valid Certificate Request, please try a different browser."
Same error occurs in IE11 Edge Chrome and Firefox

Additional InformationCACerts.org is added as trusted site
TLS and SSL are enabled
Tested running Trusted Sites on low security setting in IE
Tried on both 32 and 64 bit versions of all broswers
Tagsbrowser, certificates, html
Reviewed by
Test Instructions

Activities

L10N

2016-12-24 19:29

reporter   ~0005529

The same bug happend to me to with
- Chromium 55 on Ubuntu 16.04
- Vivaldi 1.6 64 Bit on Ubuntu 16.04
- Edge on Windows 10

But I could create a new certificate with
- Firefox 50.1 on Ubuntu 16.04

L10N

2016-12-28 10:43

reporter   ~0005534

Some other checks to create new certificates:
it does NOT work with
- Edge 38 on Windows 10
- Opera 42 on Windows 10
- Vivaldi 1.4 on Windows 10

it works still with
- Firefox 48.0 on Windows 10

L10N

2018-01-07 08:41

reporter   ~0005569

I filed a bug at Chromium and at Vivaldi a few days ago. Following the answer from Chromium:

    Issue 799246 in chromium: Cannot create a certificate with cacert.org
Absender
    Von: asa… via monorail

Updates:
Components: Internals>Network>Certificate
Status: WontFix

Comment 0000003 on issue 799246 by asanka@chromium.org: Cannot create a certificate with cacert.org
https://bugs.chromium.org/p/chromium/issues/detail?id=799246#c3

This site is using the <keygen> element to generate a keypair. This feature is deprecated. See https://www.chromestatus.com/features/5716060992962560

Attachments:
Screen Shot 2018-01-05 at 4.44.07 PM.png 22.1 KB

--
You received this message because:
1. You reported this issue

L10N

2018-01-07 08:43

reporter   ~0005570

"Since Chrome 49, <keygen>'s default behaviour has been to return the empty string, unless a permission was granted to this page. Removed in Chrome 57."

"IE/Edge do not support <keygen> and have not indicated public signals to support <keygen>. Firefox already gates <keygen> behind a user gesture, but is publicly supportive of removing it. Safari ships <keygen> and has not expressed public views regarding its continued support."

source: https://www.chromestatus.com/features/5716060992962560

L10N

2018-01-07 09:00

reporter  

keygen.png (22,621 bytes)
keygen.png (22,621 bytes)

L10N

2018-01-07 09:03

reporter   ~0005571

Further information at https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen

"Deprecated
This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time."

L10N

2018-01-07 09:49

reporter   ~0005572

Alternatives to <keygen>:
https://w3ctag.github.io/client-certificates/
https://w3ctag.github.io/client-certificates/

Other discussions about alternatives:
https://stackoverflow.com/questions/36350954/html-keygen-alternative-generating-key-pair-in-browser
https://security.stackexchange.com/questions/106257/alternatives-to-htmls-deprecated-keygen-for-client-certs

Further readings:
https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack

gukk_devel

2018-01-14 15:03

reporter   ~0005574

https://developer.mozilla.org/de/docs/Web/HTML/Element/keygen
https://productforums.google.com/forum/#%21topic/chrome/FGU6TvIgPY0;context-place=forum/chrome
https://support.comodo.com/index.php?/Knowledgebase/Article/View/475/0/which-browser-can-i-use-to-signup-for-a-email-certificate

bjantzen

2018-01-14 17:40

reporter   ~0005575

Generating keys still works for me with
Firefox 57.0.4 (64-Bit, Linux) installed in openSUSE Leap 42.3.

L10N

2018-02-10 10:05

reporter   ~0005576

On Fri, 2 Feb 2018 10:29:41 +1100, Peter Yuill <peter AT NO SPAM c.o.> wrote at CAcert Board List:
I went through the process of generating keys and CSR in openssl then
submitting CSR through the advanced section of “New Certificate” and it
worked perfectly for me (using current Firefox). I have to say it is not a
simple solution and it certainly requires a much higher level of technical
skill than the browser solution, but it does work.

I did some research on possible tools to simplify the process and I have a
proposal. As far as I can see the browser route is dead, so we need to look
elsewhere. I am looking at the possibility of a desktop app that would
generate keys and CSR then connect to the cacert.org <http://cacert.org/>
site through a screen scrape library to submit the CSR and store the
certificate back in a local keystone. The one extra step required is to
import the certificate into browsers/mail clients, which should not be
difficult for most people. I am starting work on a cross-platform proof of
concept which I hope to be able to demonstrate in a few weeks.

Issue History

Date Modified Username Field Change
2016-10-03 17:31 Wiesshund New Issue
2016-12-24 19:29 L10N Note Added: 0005529
2016-12-28 10:43 L10N Note Added: 0005534
2016-12-28 10:44 L10N Priority normal => high
2016-12-28 10:44 L10N OS Windows 10 Pro 64bit => Windows 10 Pro 64bit, Ubuntu
2016-12-28 10:44 L10N Platform PC Windows 10, IE11 Chrome and F => PC Windows 10, IE11 Chrome Firef
2018-01-07 08:41 L10N Note Added: 0005569
2018-01-07 08:43 L10N Note Added: 0005570
2018-01-07 09:00 L10N File Added: keygen.png
2018-01-07 09:03 L10N Note Added: 0005571
2018-01-07 09:49 L10N Note Added: 0005572
2018-01-07 09:50 L10N Priority high => urgent
2018-01-07 09:50 L10N Status new => confirmed
2018-01-14 15:03 gukk_devel Note Added: 0005574
2018-01-14 17:40 bjantzen Note Added: 0005575
2018-02-10 10:05 L10N Note Added: 0005576
2018-02-10 10:06 L10N Tag Attached: certificates
2018-02-10 10:06 L10N Tag Attached: browser
2018-02-10 10:06 L10N Tag Attached: html