How to automatically install a client certificate in a web browser?

Question

I want to authenticate users with X.509 certificates to my web site.

I can generate an RSA key pair with keygen element of HTML, and then send the SignedPublicKeyAndChallenge structure to the server. The server can then check and sign the public key and generate a X.509 certificate for that key, for the client.

Now, when I signed up at StartSSL, the HTML pages there installed the certificate into my browser’s store without me doing more than clicking a button and I want to do the same. How do I go about that? Send the certificate with a certain Content-Type? Do it with client-side scripting? How do the browser know it’s supposed to install a client certificate?

I know I can tell the user to install it manually, but if it can be automated, then I want to make it so.

Answer 1

You want return the signed certificate file with the application/x-x509-user-cert mime type. The browser should then offer to download or install that client credential.

For further reading, see https://pki-tutorial.readthedocs.org/en/latest/mime.html.

I am working on a very similar application for my own websites.