This is an archived page. It's not actively maintained.


This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

Warning: The features mentioned in this article are deleted proprietary Mozilla extensions, and are not supported in any other browser. They won't work in Firefox 34 or later. Use <keygen> or the future Web Crypto API instead.

crmfObject = crypto.generateCRMFRequest("requestedDN", "regToken", "authenticator",
                                        "escrowAuthorityCert", "CRMF Generation Done Code",
                                        keySize1, "keyParams1", "keyGenAlg1",
                                        keySizeN, "keyParamsN", "keyGenAlgN");

This method will generate a sequence of CRMF requests that has N requests. One request for each key pair that is generated. The first three parameters will be applied to every request. The "escrowAuthorityCert" parameter will only be used for requests that pertain to a key that is being escrowed. After the "escrowAuthorityCert" parameter, the method takes some JavaScript code that is invoked when the CRMF request is ready. Finally, there are 1 or more sets of key generation arguments. Each key generation will be associated with its own request. All the requests will have the same DN.

Argument Description
"requestedDN" An RFC 1485 formatted DN to include in the certificate request.
"regToken" A value used to authenticate the user to the RA/CA.
"authenticator" A value that the user can authenticate with in the future when their private key is not available. Can be used for key recovery or revocation requests.
"escrowAuthorityCert" If this value is NULL, then no key escrow will be performed. This value specifies which KRA certificate should be used to wrap the private key being escrowed. The user will be prompted for confirmation whenever a key will be escrowed. Only key exchange keys will be escrowed. If a dual use key is being generated, it will not be escrowed. The value of this argument is a base-64 encoded certificate.
"CRMF Generation Done Code" This parameter is JavaScript to execute when the CRMF generation is complete.
keySizeN The size in bits of the Nth key to generate
"keyParamsN" This string is an optional algorithm dependent parameter value. For Diffie-Hellman it is used to specify p and g parameters. For DSA, it will be used to specify pqg. If the key generation requires parameters and the value passed in is NULL, then the client will generate the parameters on its own. Currently, this value is ignored.
"keyGenAlgN" Which algorithm the generated key will support. Acceptable values are (the mentioned values for keyUsage pertain to the keyUsage value of the Certificate Extension that will ultimately be in the issued certificate):
  • "rsa-ex" - generate an RSA key for key exchange only (This will have eyEncipherment set for keyUsage.)
  • "rsa-dual-use" - generate a single RSA key for both signing and encryption. (This will have digitalSignature, keyEncipherment, and nonRepudiation set for keyUsage.)
  • "rsa-sign" - generate an RSA key for signing only. (This will have digitalSignature set for keyUsage.)
  • "rsa-nonrepudiation" - generate a single RSA key for nonRepudiation only. (This will have non-repudiation set for keyUsage.)
  • "rsa-sign-nonrepudiation" - generate a single RSA key use for both signing and nonRepudiation. (This will have both digitalSignature and nonRepudiation set for keyUsage.)
  • "dsa-sign" - generate a single DSA key for signing only. (This will have digitalSignature set for keyUsage.)
  • "dsa-nonrepudiation" - generate a single DSA key for nonRepudiation. (This will have nonRepudiation set for keyUsage.)
  • "dsa-sign-nonrepudiation" - generate a single DSA key for signing and non-repudiation. (This will have digitalSignature and nonRepudiation set for keyUsage.)
  • "dh-ex"
  • "ec-ex"
  • "ec-dual-use"
  • "ec-sign"
  • "ec-sign-nonrepudiation"
  • "ec-nonrepudiation"

The generateCRMFRequest() method will cause the user to be presented with a key generation dialog. The dialog describes the key generation process and gives the user the opportunity to cancel the operation.

The method generateCRMFRequest() will return an instance of a CRMF Request object. The JavaScript passed in as the "CRMF Generation Done Code" parameter should look at the attribute request of the returned object to get the result of the CRMF generation.

The string found by accessing crmfObject.request is the base-64 encoded CRMF message to be sent to the CA/RA, or an error string. The possible error strings are:

Error String Description
"error:invalidParameter:XXX" The parameter XXX was an invalid value.
"error:userCancel" the user has canceled the key generation operation
"error:internalError" the software encountered some internal error, such as out of memory