IBM Security Verify

 View Only
  • 1.  Are there fixes for PKI HTTPD generate certificate?

    IBM Champion
    Posted Sat November 27, 2021 12:13 PM
    If I use the HTTPD service to try to generate a certificate I get


    With no opportunity to select a key size

    If I click on Submit certificate request, I get

    IKYI003I PKI Services CGI error in careq.rexx: PublicKey is a required field.
    Please use back button to try again or report the problem to admin person.

    There was no field displayed to enter a public key.

    I am on Ubuntu with Chromium, with z/OS 2.4

    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: Are there fixes for PKI HTTPD generate certificate?

    IBM Champion
    Posted Wed December 01, 2021 06:16 AM
    I notice that <KEYGEN.. > is used which is  a deprecated tag.  On Chromium it does not do anything.

    https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
    says

    Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

    and I found

    Deprecation of Keygen Tag in Chrome/Chromium Browsers

    Solution

    Beginning with version 49 of Chromium the keygen tag has been disabled by default, preventing generation of keypairs in the browser.




    I also get

    catmpl.rexx?Template=1-Year+PKI+SSL+Browser+Certificate:33 Uncaught ReferenceError: LoadCSPs is not defined
    at init (catmpl.rexx?Template=1-Year+PKI+SSL+Browser+Certificate:33)

    ------------------------------
    Colin Paice
    ------------------------------



  • 3.  RE: Are there fixes for PKI HTTPD generate certificate?

    IBM Champion
    Posted Wed December 01, 2021 07:07 AM

    I found OA62152: PKI SERVICES BOOK UPDATES FOR MOZILLA <KEYGEN> TAG REMOVAL
    This applies to Chromium as well.  

    using  1-Year PKI Generated Key Certificate
    seems to work



    ------------------------------
    Colin Paice
    ------------------------------



  • 4.  RE: Are there fixes for PKI HTTPD generate certificate?

    Posted Thu December 02, 2021 10:09 AM
    Colin,

    As indicated in the PKI publication, we only claim we support IE and Mozilla browsers, although you may find there are other browsers that will work too. 
    I believe Chrome and Mozilla share some common source code.

    ------------------------------
    Wai Choi
    ------------------------------



  • 5.  RE: Are there fixes for PKI HTTPD generate certificate?

    IBM Champion
    Posted Thu December 02, 2021 04:18 PM
    Hi Wai Choi,

    On Ubuntu, with both Chromium and Firefox

    <keygen name="name" challenge="challenge string" keytype="type"
            keyparams="pqg-params">
    
    does not display anything.

    I copied that example from the official documentation - which says it was deprecated ( in 2017?)

    I cannot run internet explorer because I am on Linux


    regards

    Colin

    ------------------------------
    Colin Paice
    ------------------------------



  • 6.  RE: Are there fixes for PKI HTTPD generate certificate?

    Posted Thu December 02, 2021 05:48 PM
    Colin,

    Then the only choices are letting PKI generate the key pair, or supplying a CSR. I hope these two choices are acceptable alternatives for you.

    ------------------------------
    Wai Choi
    ------------------------------



  • 7.  RE: Are there fixes for PKI HTTPD generate certificate?

    IBM Champion
    Posted Fri December 03, 2021 03:36 AM
    Hi Wai Choi,

    I do not need a solution, I'm doing this work for people in general, once I've finished, I'll move on to a different project.
    You might want to update the documentation, and perhaps remove the browser certificates from the list of certificate options.

    I guess that as no one has spotted this problem, not many people are using this  function (from Linux), so it may not be an urgent problem ( grin)

    Colin

    ------------------------------
    Colin Paice
    ------------------------------



  • 8.  RE: Are there fixes for PKI HTTPD generate certificate?

    Posted Fri December 03, 2021 05:18 PM
    Colin,

    We have considered the removal of the browser templates. But decided not to do it as there may be customers whose browser versions can still work.

    ------------------------------
    Wai Choi
    ------------------------------