1.3.2.4 Netscape KEYGEN Tag

The Netscape browsers implement their own store mechanism for certificates and keys and have their own enrollment request syntax, using HTTP and HTML.

Figure 1: Netscape enrollment

The Windows Client Certificate Enrollment Protocol supports Netscape enrollment, as shown in the preceding figure. The impact on the protocol defined in this specification is that structures defined in "Netscape Extensions for User Key Generation Communicator 4.0 Version" are supported as certificate requests. For more information, see [HTMLQ-keygen].

The process is:

The client machine's (Netscape) browser connects to a web page served by a web server that serves as a registration authority RA.

1. The web page delivered by the web server to the client includes the <KEYGEN> tag. For more information, see [HTMLQ-keygen].

2. In response to the <KEYGEN> tag, the browser generates a public-private key pair and builds a certificate enrollment request in a format defined by Netscape.

3. This request is delivered back to the web server with additional parameters.

4. The web server takes those parameters, builds a new request, and sends it to the CA using the WCCE protocol, noting in the call that its parameters are in Netscape format (for more information, see sections 2.2.2.6.4 and 3.1.1.4.3.1.4).

5. The CA returns a certificate in response to that request to the RA (for more information, see section 3.2.2.6.2.1.4).

6. The RA returns the certificate issued in step 6 to the Netscape browser over HTTP.

Note Only steps 5 and 6 are specified in this document.