I remember looking at <keygen> and the one thing I never understood is how to save the results to the client browser? From my understanding it sends you a public key and I should sign something and send it back to the client.
However, what do I send back? Do i sign a certificate and how do I tell the browser to install it so it can use it the next time the user visits the site? I didn't understand how to tell it to do that part and the examples seem to forget me everytime i visit the page.
Perhaps I misunderstood your question but the
<keygen>element is purposefully built such that with every new form submission a new public/private key-pair is generated. The private key is stored within the local keystore and the public key is submitted as (AFAIK) a Base64 encoded string.This form element is useful for CAs signing client's certificates using appropriate signing algorithms. Take for example SSL certificates which require some background information as well as a RSA public/private key. In that case, instead of getting users to use a offline tool to generate the certificate request by themselves, you can make the whole system a web interface in which all the relevant data is placed in a form for the user to enter. In this case the certificate "request" can simply be constructed on the server's end, saving the client a lot of hassle.
The returned data will depend on what you are doing with the key. If you are signing a client's certificate then you will return the signed client's certificate based on their provided information. Naturally, if you are doing anything else with this key you can choose what you want to return.
Please note, the
<keygen>element is not used for establishing any sort of secure channel between you (the server) and the client. The easiest way to think about this is that the<keygen>element simply behaves like a long textarea where the client types (or rather copies) their public key for processing by a certificate issuer, only the whole key generation has been automated. As for a SSL certificate, the return data could very well be the raw signed certificate file itself or a textbox containing the certificate data in a nice and fancy webpage, but thats entirely up to you.Read more about signing a certificate here.