Why Can Only Certain Browsers Generate Automatic Key pairs?

Nishi Agrawal
3 min readFeb 19, 2020

Many certificate authorities in the PKI and SSL world use browsers such as Internet Explorer or Firefox to automatically create keypairs for use with Email-S/MIME Code Signing or Server Authentication Certificates. Not all Search engines have the capacity to create these keypairs because of the < keygen > and ActiveX controls licensing restrictions that perform the creation of keypairs in tandem with operating system limitations.


The HTML <keygen> is a registered element used as part of an HTML form to enable the generation of key material, and submission of the public key. This process is intended for use with certificate management systems on the Internet.

Firefox can use the <keygen> and create immediate keypairs, since Firefox uses its own keystores that do not disrupt with operating systems like Windows or Mac.

If Firefox had to use <keygen> to build keypairs explicitly in keystores of Windows OS that could wind up being a significant security issue as it could give access to certain parts of the Windows operating system. The open source code and software developed by Mozilla is not enabled by Microsoft to navigate keystores for Windows operating systems. It’s a workaround to Firefox using its own keystore.


ActiveX is a software foundation made by Microsoft and is utilized by Internet Explorer, Visual Studio, Microsoft Office, and so forth that conveys, produces, and arranges keypairs legitimately on Windows working frameworks. Since this is claimed by Microsoft, they can do anything they desire on their operating system.

Safety is the new focus for Microsoft with its new Edge browser. Because of this Edge does not support ActiveX controls due to possible security issues as indicated with the example of Firefox <keygen> but is still backed in legacy browsers of Internet Explorer.


1. Microsoft Internet Explorer: — IE uses the control CertEnroll/XEnroll ActiveX to create and download certificates via browser.

2. Microsoft Edge: — Within Microsoft’s new Edge browser, neither <keygen> controls nor the CertEnroll/XEnroll ActiveX controls appear.

3. Mozilla Firefox: — This browser facilitates key creation and deployment of certificates by default via the <keygen> feature and special certificate file type handling

Note While Firefox underpins in-browser certificate installation, it utilizes its own keystore to store the certificate and isn’t imparted to different applications. Using Internet Explorer, the certificate will be loaded into the Windows Certificate Manager, which is used by many programs such as Microsoft Office, Outlook and Google Chrome.

When Firefox is used to create the keypair, then you will need to export the Firefox keystore certificate to add the pfx/p12 keypair file to your operating system or application that requires it.

4. Google Chrome: — Chrome uses Windows keystores, because of licensing and operating system limitations stated in the prior Firefox example, it is not allowed to produce keypairs that obtain the Windows operating system. Whereas the keygen mechanism can be activated manually, custom filetype handling is still eliminated, so keypair creation and installation is not supported through Google Chrome.

For more information on Firefox or Edge/Internet Explorer browser go through the following links:

Ø Mozilla Developer — <keygen>

Ø Windows IT Pro Center — Microsoft Edge Group Policy configuration options



Nishi Agrawal

Management Student, Digital Marketing Enthusiastic Interested in Web Security and Internet topics. Young Mind with creative thinking capabilities.