IBM (now HCL) Domino has since way back a complete procedure to issue X509 client certificate as a login option to a webserver.
Back in 2010-ish it worked fine in both Firefox and Internet Explorer.
The handling has 4 steps
- Acceptance of Root certificate, CA (usually self-signed from Domino)
- Request client certificate, with PrivateKey to local certificate store and PublicKey sent to the server
- Domino internal issuing of the certificate and insert in users credentials on the server.
- Sending certificate to the user and manually installation of that certificate together with local PrivateKey
But time has passed and web browsers support this solution much less.
The problem that has emerged over time is step 2 in the process.
The browsers work worse over time for various reasons.
- Firefox used the HTML tag KEYGEN which is no longer supported (so it is gone)
- IE has been using XEnroll and Certenroll (still working but IE is on the way out)
- Chrome doen't work
- Edge does not have access to use XEnroll/Certenroll and does not work.
I know that nowadays there are much better login methods via SAML, idp, OTP etc etc.
But this is what is in place now and will hopefully work for a few more years before it has to be completely replaced.
As it is now with IE as the only option, however, customers are putting IE down because it soon lacks support from MS.
Hope that someone can suggest some type of API, javascript that can replace generating KeyPair in the same way as KEYGEN, XEnroll/Certenroll done before, i.e. write down PrivateKey locally and send with PublicKey to the web server.
In this way, most of the solutions could be run a little longer while new solutions are built.
With the right solution, it might even be less depending on the user's browser.
