Anyone who has attempted to obtain a digital certificate may have encountered a strange situation: the National Factory of Currency and Stamp (FNMT), the entity that issues the most used certificate, does not support newer versions of Firefox, and requires to install an old version of the browser which logically has the problem of returning vulnerabilities to the browser that had already been corrected.
The reason is simple: Firefox has stopped supporting an element of the HTML standard called “keygen” since version 69 (September 2019) which facilitated the generation of keys. The problems, however, will end soon: the FNMT will have a new tool available in August.
The horror message: “Browser not supported”
Users who have tried to obtain a new digital certificate for their efforts and procedures in the Spanish public administration have been facing problems for years in the area of browser and operating system support.
It’s straight a fucking shame pic.twitter.com/ePb7ug96yY
– 𓅓 Alejandro Liam 𓅓 (@alexliament) August 5, 2020
In our country, these certificates are issued by the National Mint and Stamp Factory. Browser and operating system support for your certificate creation tool it takes time to create problems in browsers like Firefox, which since September 2019, with the arrival of Firefox 69, eliminated a critical feature for the functioning of the FNMT system.
This is the HTML element
The people in charge of Mozilla – the entity in charge of the development of the Firefox browser – indicate in their documentation that this functionality “is obsolete”, and although it may still work in some browsers “its use is not recommended as it can be removed at any time [de esos navegadores] »
In September 2019, Mozilla made the decision to remove support for this item. Digicert precisely stated the situation at that time: only Safari officially uses it, while old Internet Explorer uses a different type of control through ActiveX and is not affected by this label.
The same thing actually happened with Google Chrome in March 2017 with version 57 of this browser, which also disabled which support, to which the FNMT alluded when explaining the situation of mariners at that time.
The solution for some time has been to install Firefox 68 (or request the certificate via the DNIe)
When the dreaded “Browser not supported” error appears in these processes, the FNMT itself offers a solution, consisting of installing Firefox 68 ESR (Extended Support Release) to be able to complete the entire generation of the digital certificate, although it is also possible to try to run the process with Internet Explorer on Windows computers.
A specific support page mentions this issue of key generation and certificate renewal. On this page it is stated how to save data that we store in the browser and links to Mozilla Firefox 68 32 and 64 bit are provided.
There is another option, and it is the use of the Cl @ ve system which was inaugurated in 2014 and which will allow us to carry out various procedures and identify ourselves without needing the DNIe or the digital certificate.
The FNMT already has the solution ready, and it will arrive very soon
At the FNMT, they indicated in January 2020 that they were already working on a tool that would “generate the keys necessary for the issuance of digital certificates. regardless of the browser and operating system used«
The solution to the problem is therefore in progress but from this body they indicated that its development is complex to cover all operating systems (Windows, Linux, macOS) and the most common browsers (Chrome, Firefox, Opera, Edge and Internet Explorer).
From Xataka we contacted the FNMT, whose managers told us that development “is already done” although they are currently doing some final testing to prevent problems among users during the final deployment.
As they explained to us from the FNMT, this body has 9 million users and issues more than 10,000 certificates per day, which makes it important that the final implementation of the new solution offers the best possible guarantees that nothing will go wrong.
Despite everything, after all the development and tests carried out, they hope to have the tool Available to all users August 17, maybe a week later.
The new certificate request process that the FNMT has been developing in recent months will allow the process to be completed regardless of the browser or operating system used.
The process will be transparent to users, who will simply go to the website to generate the certificate as usual, but see how the process has changed slightly and no longer depends on the operating system or browser. In fact, from the FNMT, they indicate that evaluated the tool with different versions of Windows, the latest three versions of macOS, and the four most popular Linux distributions, including Ubuntu or Debian.
Development suffered further delays to try to add more options to the tool and fix some last minute issues. As FNMT tells us, Firefox has changed how the browser’s certificate store works, as well as wanted to add support for the new Chromium-based Microsoft Edge.
Tests and internal and external security audits of the tool – among other things, the FNMT will never have the private key that is generated for the user – they were also intensive to ensure that there were no problems with the new system.
This tool is a stand-alone Java applicationIn other words, there is no need to install Java on the computer. It is invoked by protocol in the browser to develop an extension for each browser and operating system and then maintain that it was not feasible – so the first step in the process requires the user to download and upload. ‘install this tool to complete the process.
From there, the tool takes care of everything using the browser: it generates the keys and not just stores them in the certificate store of the browser with which we perform the process: If other browsers are installed, also try registering them in these certificate stores to be able to work interchangeably with them during the execution of the procedures.
Another striking element, they explained to us from the FNMT, it is the automatic realization – if the user wishes it – of backup copies of the certificate, a step that users wouldn’t normally do because they had to go through a somewhat tedious process from the browser. Failure to do so and having a problem with the browser exposed them to the loss of the certificate and the need to regenerate it, but the new system helps to minimize this scenario.
Source : Engadget