From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

SPKAC is an acronym that stands for Signed Public Key and Challenge, also known as Netscape SPKI.

It is a format for sending a Certification Signing Request: it encodes a public key, that can be manipulated using openssl.[1] It is created using the little documented HTML keygen element[2] inside a number of Netscape compatible browsers.


HTML5 originally specified the <keygen> element to support SPKAC in the browser to make it easier to create client side certificates through a web service for protocols such as WebID;[3][4] however, subsequent work for HTML 5.1 placed the keygen element "at-risk", and the first public working draft of HTML 5.2 removes the keygen element entirely.[5][6][7] The removal of the keygen element is due to non-interoperability and non-conformity from a standards perspective in addition to security concerns.[8] The W3C Web Authentication Working Group is working on the Web Authentication API to replace the keygen element.[9]

Bouncy Castle provides a Java class.[10][11]

An implementation for Erlang/OTP exists too.[12]

An implementation for Python is named pyspkac.[13]

PHP OpenSSL extension as of version 5.6.0.[14]

node.js implementation.[15]


The user interface needs to be improved in browsers, to make it more obvious to users when a server is asking for the client certificate.[16]


  1. ^ "Documents, spkac(1)". OpenSSL. Retrieved 2017-04-05.
  2. ^ "Html | Mdn". Developer.mozilla.org. 2013-08-15. Retrieved 2013-10-13.
  3. ^ "HTML5 W3C Recommendation 28 October 2014. 4.10.12 The keygen element". W3C. 2014-10-28. Retrieved 2016-10-17.
  4. ^ "WebID: creating a global decentralised authentication protocol". W3C. Retrieved 2013-10-13.
  5. ^ Nevile, Chaals (2016-06-03). "Re: Call for Consensus - Remove <keygen> from HTML". W3C HTML Working Group (Mailing list). Retrieved 2016-10-17.
  6. ^ "HTML5.1: CR 21 June 2016. Status of this document". W3C. 2016-06-21. Retrieved 2016-10-17.
  7. ^ "HTML 5.2: First Public WD. Changes from HTML 5.1". W3C. 2016-08-18. Retrieved 2016-10-17.
  8. ^ W3C Technical Architecture Group (2015-11-30). "Keygen and Client Certificates". W3C. Retrieved 2016-10-17.
  9. ^ Halpin, Harry; Appelquist, Daniel; Mill, Eric; Gmür, Reto (2016-05-31). "Re: removing keygen from HTML". W3C WWW Technical Architecture Group (Mailing list). Retrieved 2016-10-17.
  10. ^ "Bouncy Castle Java Documentation". Retrieved 2013-12-06.
  11. ^ "foaf-protocols] spkac test implementation in Java". Lists.foaf-project.org. Retrieved 2013-10-13.
  12. ^ "ztmr/espkac @ GitHub". Github.com. Retrieved 2013-10-13.
  13. ^ "pyspkac". Github.com. Retrieved 2013-12-06.
  14. ^ "php 5.6.0 OpenSSL Native SPKAC support".
  15. ^ "node.js spki support".
  16. ^ "User tracking with SSL certificates in Firefox - The H Security: News and Features". Heise-online.co.uk. 2007-09-19. Archived from the original on 2008-09-19. Retrieved 2013-10-13.

External links[edit]