The issue here is that Chrome doesn't support the Netscape "keygen" element.

(No comment was entered for this change.)

I believe that to make this work, in addition to supporting the keygen html element
for creating the cert request, Chrome also needs to process the responses that come
back in an application/x-x509-user-cert mime type and application/x-x509-ca-cert mime
type and install associate the returned certs with the generated key.  Not sure if it
is handling this already or not.

(No comment was entered for this change.)

Changing to feature request, since documentation would suggest that this is a 
somewhat proprietary tag.

(No comment was entered for this change.)

From <b/802185>, wtc says:

We still need to implement the WebCore::signedPublicKeyAndChallengeString function to 
fully support the keygen tag.

It doesn't look like this is implemented in WebCore/platform/win.

wtc, do you think we should implement this upstream or in Chromium (ie, is this a 
PLATFORM(WIN) or PLATFORM(CHROMIUM) issue)?

I suspect that we should implement WebCore::signedPublicKeyAndChallengeString
in Chromium, i.e., this is a PLATFORM(CHROMIUM) issue.

I'm going to use this bug to track certificate enrollment, even though we may use Xenroll.dll or CertEnroll.dll rather than the keygen tag on Windows.

Is this being worked on at the moment?

I would like this to get worked on too please, nothing sucks more than having to change 
to another browser just to do my online banking @ skandiabanken :(

@perlmaniac: Hear, hear! (Just had to say it - it is the _precise_ problem I have too!)

barhom: I am not working on this right now.

perlmaniac, stolsvik: you only need to change to Internet Explorer
to enroll for a certificate.  Once you have a certificate, you
can change back to Chromium (a Dev channel release, see the webpage
below) to do your online banking at skandiabanken, until the
certificate expires.

I will keep the current status of SSL client authentication
and certificate enrollment in Chromium up to date in this webpage:
http://dev.chromium.org/developers/design-documents/ssl-client-authentication

What's the status on this?

I would also appreciate this.  I believe that MIT uses this for students' personal
certificates, greatly limiting the viability of Chrome on campus.

It's inconvenient for MIT students but now that we can get certificates with Firefox and 
import them into Chrome it's not nearly as bad as it used to be.

@melink14: And how do you do that, exactly? A link would be helpful. Thx.

I don't have a link, but I can try to explain the process in detail here:

1. Use firefox to get a certificate.  I assume people know how to do this.

2. Export the certificate to a file.  It's not too hard, but the following has instructions 
that should help if anyone gets stuck: 
http://www.globalsign.com/support/faq/misc/16.html

3. Import the certificate into Chrome.  If you go to "Under the hood" then "Manage 
Certificates" there should be an option for importing certificates.

I can't verify this but I think if you have a certificate in IE then it should automagically 
work in chrome as they both use the OS certificate manager.  The manual import 
method definitely works so good luck.

Also, this is only for windows.  The mac client at least has 0 support for certs as of 
now.  I heard there were problems in linux as well.

Just to confirm, if the certificates are installed in IE, it automatically works in 
Chrome.  I've been telling my classmates at MIT to use this method.

sean.y.liu: That's correct. I just added the workaround you described to
http://dev.chromium.org/developers/design-documents/ssl-client-authentication

Responding to Comment 5 by laforge@chromium.org ("documentation would suggest that
this is a somewhat proprietary tag"):

"keygen" may have been initially authored by Netscape, but it is definitely the only
open, widely-implemented standard.  It is in draft HTML 5:
http://www.whatwg.org/specs/web-apps/current-work/#the-keygen-element

And from "the documentation" itself, it has been supported by Opera, Safari, and of
course Firefox for some time:
https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag#Browser_compatibility

So, in response to Comment 10 by wtc@chromium.org ("even though we may use
Xenroll.dll or CertEnroll.dll rather than the keygen tag on Windows"):

I'd encourage you to seriously consider a keygen approach before investing
architecting/coding effort in these proprietary and mutually-incompatible methods,
that are difficult at best to implement on-non-MS servers.

arthurp: thanks for your comment.  Gaurav just wrote a changelist
that implements the <keygen> tag for Linux:
http://codereview.chromium.org/261035

To add support for the <keygen> tag on Mac and Linux, only the
KeygenHandler and CertDatabase classes in that changelist need to
be ported.

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=29900 

------------------------------------------------------------------------
r29900 | wtc@chromium.org | 2009-10-23 09:58:37 -0700 (Fri, 23 Oct 2009) | 12 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/buffered_resource_handler.cc?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/resource_message_filter.cc?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/resource_message_filter.h?r1=29900&r2=29899
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/x509_user_cert_resource_handler.cc
   A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/x509_user_cert_resource_handler.h
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/chrome.gyp?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/render_messages_internal.h?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/renderer/renderer_webkitclient_impl.cc?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/renderer/renderer_webkitclient_impl.h?r1=29900&r2=29899
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database.h
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_mac.cc
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_nss.cc
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_win.cc
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler.h
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler_mac.cc
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler_nss.cc
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler_win.cc
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/mime_util.cc?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/net.gyp?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/api/public/WebKitClient.h?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/api/src/ChromiumBridge.cpp?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webkitclient_impl.cc?r1=29900&r2=29899
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webkitclient_impl.h?r1=29900&r2=29899

Adds support for the <keygen> tag for client certificate enrollment
under Linux. Currently, no notifications are given to the user that the
certificate was successfully enrolled.

Patch by Gaurav Shah <gauravsh@chromium.org> of Google.
Original review URL: http://codereview.chromium.org/261035

BUG=148
TEST=Can test on the following sites:
http://foaf.me/simple_KEYGEN_CreateClientCertificate.php
http://www.myopenid.com
Review URL: http://codereview.chromium.org/271112
------------------------------------------------------------------------

Any further progress here?

Please add this feature as soon as possible!

by the way the keygen tag is part of HTML5 now.
http://www.whatwg.org/specs/web-apps/current-work/multipage/the-button-element.html#the-keygen-element

And yes, please do add keygen and client side certificate support! This would be dead
cool! 

By the way if you want to make a big contribution to User Interface improvements for
Client side certificates see my blog post "Identity in the Browser, Firefox style" 
   http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox
That is if you can add to the menu bar the CN of the SSL connection one is logged
into the site as (and if there are more, it would have to be a menu) the user could
get a much better idea of his relation to a web site.

I added a client cert related User Interface bug report here
http://code.google.com/p/chromium/issues/detail?id=29784
that could nicely complement introduction of client side certificate support in Chrome.