This project is meant to pose as an alternative way to create Certificate signing requests. It is a sister project to expect-dialog-ca. The optimal way for a CA to endow someone with a digital identity is to take a Certificate Signing Request (CSR) and to generate a digital certificate for it. The user then can combine this with its private key and as a result has a digital identity.
Many enrollment processes nowadays work differently: The CA creates both the private key and the public key and somehow send them with the certificate to the end user. But that means that the private key is no longer private: the CA must know the password used to secure the private key - both for creating the CSR ands of course for supplying it to the end user.
It would be best if the private key stays with the end user. That however means that the end user must be able to create the private key and the CSR without any hustle because that would destroy the acceptance.
There are some (in fact: many) web portals offering the creation of CSRs along with private keys by filling in a small form with the needed information. This seems alluring - but it also means, that the private key is not really private: Either the password for the private key has to be sent over the internet or the private key is created without any password protection - both alternatives are (in my opinion) equally bad.
That are the reasons for the inception of this project: A small application that can be executed locally. It works in two phases (the second one being optional) consisting of the following steps:
- Loading an OpenSSL configuration for the kind of certificate to be obtained
- Presenting a form to the user asking the needed information according to this configuration
- Creating a private key and a CSR
- Saving public and private keys and CSR in a Zip archive
- Opening the systems mail application with the CSR as mail body to be sent to the CA
The second phase begins once the CA has sent the certificate back:
- combination of the public and private key with the certificate to create a digital identity in the form of a PKCS#12 container.
The form that is presented for the user to fill out does ask questions about the individual RDNs making up the CN for the certificate. Currently, the following RDNs are supported - if present in the used configuration file:
- CountryName
- StateOrProvince
- Locality
- Organization
- OrganizationalUnit
- SurName
- SerialNumber
- StreetAddress
- Title
- GivenName
- UserID
- DomainComponent
- CommonName
- EMailAddress
The project can be built and executed using this command
mvn compile exec:java
It is possible to create a single jar with all dependencies included that can be distributed to prospective users (provided they have a java runtime environment installed):
mvn -U package assembly:single
Alternatively, it is possible to distribute the solution along with a bundled runtime environment. This still needs a bit of manual labor at this time. The whole process is described here.