We should encode IDN domains with Punycode.

See: https://github.com/bestiejs/punycode.js/

Right now if you fill out host, tab to organization, fill out organization and tab to org unit the results do not automtically get produced, they should.

Previously there was whitespace between these two sections, it is now gone.

Imagine the case where you fill out the form and it generates you a set of results, you now decide to go change the results. Since some results (specifically the Any result) can take a few seconds to be generated with the new options we need to disable all the results before calculating the new values. Otherwise the user may see data in the “form” that is inconsistent with the “results”.

The easiest way to see this is while in Firefox, fill out the form once, set the RSA key size to 8092 and see it can take seconds for the new ANY value to be populated.

We need to remove:

https://freegeoip.net/json/?callback=angular.callbacks._0 p

and switch it to : https://freegeoip.net/json/

It currently uses JSONP which can be abused.

https://github.com/PeculiarVentures/csrhelp/blob/gh-pages/src/csrhelps/freeGeoIPService.js

Error: [$parse:lexerr] http://errors.angularjs.org/1.4.6/$parse/lexerr?p0=Unexpected%20nextharacter%20&p1=s%203-3%20%5B%5E%5D&p2=(%3F%3D%5E.%7B4%2C253%7D%24)(%5E((%3F!-)%5Ba-zA-Z0-9-%5D%7B1%2C63%7D(%3F%3C!-)%5C.)%2B%5Ba-zA-Z%5D%7B2%2C63%7D%5C.%3F%24)
    at Error (native)
    at https://csrhelp.peculiarventures.com/assets/js/angular.min.js:6:416
    at ec.throwError (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:197:475)
    at ec.lex (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:196:340)
    at Object.s.ast (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:201:387)
    at Object.pd.compile (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:211:66)
    at fc.parse (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:237:178)
    at https://csrhelp.peculiarventures.com/assets/js/angular.min.js:117:17
    at n.$watch (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:126:376)
    at link (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:241:33)(anonymous function) @ angular.min.js:107

and

Error: Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.
    at Error (native)
    at generateReport (https://csrhelp.peculiarventures.com/src/csrhelps/CsrhelpController.js:184:30)
    at https://csrhelp.peculiarventures.com/assets/js/angular-material.min.js:7:9510
    at https://csrhelp.peculiarventures.com/assets/js/angular.min.js:146:38
    at e (https://csrhelp.peculiarventures.com/assets/js/angular.min.js:43:95)
    at https://csrhelp.peculiarventures.com/assets/js/angular.min.js:45:491

An example IP that produces this is this one : https://freegeoip.net/?q=77.40.29.21 it seems to be related to the encoding of the city name.

Since this page generates cryptographic keys, we do not want this web page to take dependencies on third-party hosted content. This content would have a chance of influencing the key generation process.

Right now the page includes a reference to fonts hosted out of the repository, I don’t think there are more but you need to review the dependencies and make sure they reference files that are part of the project (e.g. check in the fonts).

Today there is a IF block that wraps the invocation of each of the command line functions, this looks something like this:

            if ($scope.certificate.algorithm == "ECC") {
                $scope.make_openssl();
                $scope.make_keytool();
                if ($scope.certificate.keysize != "secp521r1")
                    $scope.make_bigip();
                $scope.make_iis();
                $scope.make_any();
            } else {
                $scope.make_openssl();
                $scope.make_exchange2007();
                $scope.make_exchange2010();
                $scope.make_keytool();
                $scope.make_bigip();
                $scope.make_iis();
                $scope.make_any();
            }

This is a “messy” way to ensure that options that are not supported don’t get included in the result set.

A better way would be for each of these functions to always be invoked. The function would then check if they support the options in the result and if so they would produce a example.

Otherwise it would hide its example.

I would do this by having supported_ecc_keysizes and a supported_rsa_keysizes in the beginning of each function. I would have it check that the options are supported and if not hide its example and return

We should probably add a "fork me banner" (https://github.com/blog/273-github-ribbons) and have it link to the repository

@apilguk when we bring on someone new this would be a good project for them.

Would allow them to learn about PKI, React, etc.

In firefox there is no whitespace around boxes:

vs:

Autocomplete the Locality and City State using Google maps (https://gist.github.com/VictorBjelkholm/6687484) ; this may require us to have a server, if we do this we would use node.

Have a visual element on the page that show what the SSL bar would look like based on what information they have provided.

User should not have to specify key length and there should be defaults based on their selection

Yury, people use this as an example for PKIjs; please convert it to PKIjsv2

Previously there was a download key button for the ANY section but it is missing:

If I copy and paste the CSR from Firefox into Notepad, all lines get interleaved with a blank line, so the CSR becomes invalid. With Chrome, it works fine.

When user chooses an Open Corporates match we should set the location based on the selected Jurisdiction.

For example we would look at item.company.jurisdiction_code to get this, for this record
[http://api.opencorporates.com/companies/us_wa/603409910]

We would need to go from the jurisdiction code to the right name:

"jurisdiction_code": "us_wa",

'''The jurisdiction code is the code for the jurisdiction which registered the company. If this is a country it is simply the two-letter ISO code for that country, e.g. Spain = es, United Kingdom = gb. If this is a state or province it is an underscore version of the ISO 3166-2 code for the jurisdiction, eg. Michigan in the US is us_mi.'''

If the user selects the open corporate org then we should clear the location data we do not have also. Otherwise we may create conflicts when the request is recieved by the CA. Basically if Open Corporates is used we should only use it.

But this would ensure the CSR has the right combination of information.

Previously the form would trigger recalculation when you changed a combo box, now you have to leave the combo field before that happens. The prior behavior was better.

Right now the form only supports a single host name provided in the subject CN field.

We can support multiple hostnames using Chips (https://material.angularjs.org/latest/demo/chips). Chips would only be created when the value validates as a host name.

This would look something like this:

https://certsimple.com does something similar to this if you want to see an example.

We would use the following logic:
First domain name goes into the Subject CN
First domain name is used as the file name
If the function (for example the ANY function) does not support multiple domain names and multiple were provided it would hide itself.

OpenSSL

echo [ req ]>host.example.com.cfg
echo prompt=no>>host.example.com.cfg
echo distinguished_name=req_distinguished_name>>host.example.com.cfg
echo req_extensions=req_ext>>host.example.com.cfg
echo [ req_distinguished_name ]>>host.example.com.cfg
echo CN = host.example.com>>host.example.com.cfg
echo [ req_ext ]>>host.example.com.cfg
echo subjectAltName=@alt_names>>host.example.com.cfg
echo [alt_names]>>host.example.com.cfg
echo DNS.1=host1.example.com>>host.example.com.cfg
echo DNS.2=host2.example.com>>host.example.com.cfg
echo DNS.3=host3.example.com>>host.example.com.cfg
openssl req -new -newkey rsa:2048 -nodes -out host.example.com.csr -keyout host.example.com.key -config host.example.com.cfg

F5 BigIP

create sys crypto key host.example.com key-size 2048 gen-csr country “US” state “WA” city “Woodinville” organization “Peculiar Ventures, Inc” ou “Engineering” common-name “host.example.com” subject-alternative-name "DNS:host1.example.com, DNS:host2.example.com"

Java Keytool

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore host.example.com.jks -dname "C=US,ST=WA,L=Woodinville,O=Peculiar Ventures, Inc,OU=Engineering,CN=host.example.com" && keytool -certreq -alias server -file host.example.com.csr -keystore host.example.com.jks -ext “SAN=dns:host1.example.com,host2.example.com”

IIS

echo [NewRequest] >csrparams.inf
echo Subject="C=US,ST=WA,L=Woodinville,O=Peculiar Ventures, Inc,OU=Engineering,CN=host.example.com">>csrparams.inf
echo KeySpec=1 >>csrparams.inf
echo KeyLength=2048 >>csrparams.inf
echo Exportable=TRUE >>csrparams.inf
echo MachineKeySet=TRUE >>csrparams.inf
echo SMIME=False >>csrparams.inf
echo PrivateKeyArchive=FALSE >>csrparams.inf
echo UserProtected=FALSE >>csrparams.inf
echo UseExistingKeySet=FALSE >>csrparams.inf
echo ProviderName="Microsoft RSA SChannel Cryptographic Provider" >>csrparams.inf
echo ProviderType=12 >>csrparams.inf
echo RequestType=PKCS10 >>csrparams.inf
echo KeyUsage=0xa0 >>csrparams.inf
echo Silent=TRUE >>csrparams.inf
echo [EnhancedKeyUsageExtension] >>csrparams.inf 
echo OID=1.3.6.1.5.5.7.3.1 >>csrparams.inf
echo [RequestAttributes] >>csrparams.inf
echo SAN=”dns=host.example.com&dns=host1.example.com” >>csrparams.inf
certreq -new csrparams.inf host.example.com.csr

Exchange 2007

New-ExchangeCertificate -GenerateRequest -Path .\host.example.com.csr -KeySize 2048 -SubjectName "cn=host.example.com” -DomainName host1.example.com, host2.example.com  -PrivateKeyExportable $True

Exchange 2010

Set-Content -path ".\host.example.com.csr" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "cn=host.example.com" -DomainName host1.example.com, host2.example.com -PrivateKeyExportable $True

The Any section generates a PKCS#10 and private key but will only work when WebCrypto is available.

For example if you try to invoice the page over HTTP you will get an alert() saying it failed to invoke WebCrypto. It should not do this and instead it should just not show this section:

But you should not since when you call generate key you get NotSupportedError. You should probably call generate key before you show the “Any” result, then only show it if you do not get the NotSupported Error.

Also some browsers also don’t support ECC (Microsoft Edge for example) so catching this and hiding Any would make the page work well in these cases.

Autocomplete the Organization using Open Corporates (https://opencorporates.com/) like https://certsimple.com/ ; this will likley require having a server, if we do this we would use node.

Minimal dependencies is valuable from a security standpoint.

Each external dependency could be used to attack the page potentially.

We can inline the google font to remove one dependency.

I've used this example https://pkijs.org/examples/PKCS10_complex_example.html to verify the CSR generated by https://csrhelp.peculiarventures.com/
Some generated P-521 CSRs return true, but some false for some reason.

We will be deprecating PKIjs-ES5, we need to switch to the ES6 version for this project.

Right now the logic in the page technically works but it's overly complicated.

The complication comes from the fact that the page calls org.pkijs.getAlgorithmParameters to get a template of JSON then goes on to modify almost every part that is returned based on the options in the form.

Instead appropriate JSON should be created based on the form selection. This would make the code simpler and easier for people to understand.

For RSA the JSON would look something like this:

{
    name: "RSASSA-PKCS1-v1_5",
    modulusLength: 2048,
    publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
    hash: {
        name: "SHA-256"
    }
}

Where modulesLength is set based on $scope.certificate.keysize

For ECDSA it would look something like:

{
    name: "ECDSA",
    namedCurve: "P-256"
}

We are getting a linear progress bar in org unit

When we should instead use the circular bar we already put in the host area of the UI, no reason to have multiple ones in different parts of the form if they dont directly relate to the thing they are showing status of.

On load all results should be hidden but right now they all show with prorgess bar other than IIS and ANY

Right now each time you type a character in the hostname field it checks to see if it is a valid domain or not, if it is a new command line example is generated. This is OK for the “command line” examples but the “Any” example can take a few seconds to work because some browsers (firefox) do not generate keys asynchronously.

To address this we need to make the hostname field work like the other fields. In other words, new command lines (and the ANY example) should only be generated when all required fields have been completed and one of the fields lose focus.

We should add country flags to the open corporates results drop down

Autofill country, region and city with freegeoip https://freegeoip.net or https://ipinfo.io/ or a similar service; this should be doable without a server.

One of the cheapest cert reseller https://gogetssl.com hard-fails on CSRs without subject details (like state). As a result we will need to make state and county mandatory.

Safari doesn’t support exporting public keys in the SPKI format, it seems this shim works around this issue: https://github.com/felix/webcrypto-shim

If we use this the page should work on Safari machines.

It seems that the click event is not firing in firefox for this buttons.

I know this because I added a console.log() to appropriate point and it gets invoked in Chrome but not in Firefox.

And in Chrome I see it logged but in Firefox I do not.

It looks like &order=score we get better results we should use that.

What about the certutil tool? Not included among the options.

Previously there was a progress bar when generating keys, it is gone now:

Key gen can take a while we need the progress bar so people know something is happening. Look at 8092bit key gen as an example.