부가 기능 정보
Currently, Mozilla Personal Security Manager (PSM) allows import and export of keys but does not provide GUI for local key generation. Our KeyManager tool extends the Certificate Manager wizard in Mozilla PSM and adds the capability for key generation and SCEP based certificate enrollment. Our extension enables Mozilla PSM to act as a key management tool. In addition, the tool supports signing of proxy certificates for credential delegation and provides XUL based GUI for signing of XPI files as well as update manifest.
The KeyManager tool has following features :
- Generation of keys and X.509 based self-signed certificate
- Generation of PKCS#10 based Certificate Signing Requests (CSR)
- SCEP based Certificate enrollment - it enables Firefox to acts as SCEP client. The SCEP client can be invoked from other extensions and XPCOM based components.
- XPI Signing (for Mozilla add-ons) and signing of archive files - provides an XUL based GUI for command-line 'signtool' in Mozilla NSS
- Signing of update manifest using keys associated with certificate in the browser's certificate DB. You can use this tool as alternative to Mozilla's McCoy tool.
- Signing of Proxy Certificates (RFC 3820) and other users' certificates
- Signing and verification of Attribute certificates (RFC3281)
- Exporting of keys and certificate in the following formats: PKCS#7, PKCS#8, PKCS#10, PKCS#12, OpenSSL, and SSH-2
- Backup and Synchronization of keys and certificates for OpenSSL based applications: cURL, Globus toolkit, etc as well as other Mozilla-NSS based soft-tokens
- Managing keys and sign certificates in Java Keystores
For more info:
- Key Manager Tool: http://pubs.research.avayalabs.com/pdfs/ALR-2006-044.pdf
- Use case on on-line proxy certificate signing and credential delegation for Globus Grid based portal: http://pubs.research.avayalabs.com/pdfs/ALR-2007-023.pdf
This tool is intended for software developers working in the area of PKI based security.
FF version of this add-on is successfully tested on following x86 based OSes: GNU/Linux (Fedora8(x86), Fedora12(x86_64)), Windows ( XP-SP3), Mac OSX (Snow Leopard).
Note: For Ubuntu, this add-on works only with the Firefox downloaded from Mozilla site. This add-on may not work with Firefox that comes with Ubuntu distribution.
SCEP client tool is tested with OpenCA, EJBCA and MS-SCEP.
You can think of this tool as XUL based GUI for following NSS command line tools:
certutil, pk12util, signtool, and
crlutil. If you are not really keen on learning these excellent Mozilla-NSS command line tools, you can use this extension to do the same tasks. This extension also borrows from the web-interface for
certcgi tool to provide XUL forms for fine grain control on specifying various certificate extensions.
You can also generate keys and import certificates for hardware tokens (e.g. Smart card), if the smart card and the associated PKCS#11 driver supports key generation.
For signing of XPI files for Firefox add-ons or creating digitally-signed jar archives containing files and/or code, you must have a code signing certificate. For details follow the link for
signtool in NSS tools page.
Please install the "KeyManager" extension using a different profile than your default Firefox profile until you are familiar and comfortable with various features of the tools. In order to create new profile,
- On Windows, run
"C:\Program Files\Mozilla Firefox\firefox.exe" /p
- On Linux, run
For more info on architecture and implementation, please review the following document: http://pubs.research.avayalabs.com/pdfs/ALR-2006-044.pdf