SSL is about "server identification" or "server AND client authentication (mutual authentication)".

SSL 是关于“服务器识别”或“服务器和客户端认证（相互认证）”。

In most cases only the server presents its server-certificate during the SSL handshake so that you could make sure that this really is the server you expect to connect to. In some cases the server also wants to verify that youreally are the person you pretend to be. For this you need a client-certificate.

在大多数情况下，只有服务器在 SSL 握手期间提供其服务器证书，以便您可以确保这确实是您希望连接的服务器。在某些情况下，服务器还想验证您是否真的是您假装的那个人。为此，您需要一个客户证书。

The <keygen>tag generates a public/private key pair and then creates a certificate request. This certificate request will be sent to a Certificate Authority (CA). The CA creates a certificate and sends it back to the browser. Now you are able to use this certificate for user authentication.

该<keygen>标签生成公钥/私钥对，然后创建一个证书请求。此证书请求将发送到证书颁发机构 (CA)。CA 创建证书并将其发送回浏览器。现在您可以使用此证书进行用户身份验证。

You're missing some history. keygenwas first supported by Netscape when it was still a relevant browser. IE, OTOH, supported the same use cases through its ActiveX APIs. Opera and WebKit (or even KHTML), unwilling to reverse-engineer the entire Win32 API, reverse-engineered keygeninstead.

你错过了一些历史。keygen当 Netscape 仍然是一个相关的浏览器时，它首先被支持。IE、OTOH 通过其 ActiveX API 支持相同的用例。Opera 和 WebKit（甚至 KHTML）不愿意对整个 Win32 API 进行逆向工程，keygen而是进行了逆向工程。

It was specified in Web Forms 2.0 (which has now been merged into the HTML specification), in order to improve interoperability between the browsers that implemented it.

它在 Web Forms 2.0（现已合并到 HTML 规范中）中指定，以提高实现它的浏览器之间的互操作性。

Since then, the IE team has reiterated their refusal to implement keygen, and the specification (in order to avoid turning into dry science fiction) has been changed to not require an actual implementation:

此后，IE 团队再次重申拒绝实施keygen，并将规范（为了避免变成枯燥的科幻小说）更改为不需要实际实施：

Note: This specification does not specify what key types user agents are to support — it is possible for a user agent to not support any key types at all.

注意：本规范没有指定用户代理支持哪些密钥类型——用户代理可能根本不支持任何密钥类型。

In short, this is not a new element, and unless you can ignore IE, it's probably not what you want.

简而言之，这不是一个新元素，除非您可以忽略 IE，否则它可能不是您想要的。

If you're looking for "exactly" then I'd recommend reading the RFC.

如果您正在寻找“完全正确”，那么我建议您阅读RFC。

The keygenelement is for creating a key for authentication of the user while SSL is concerned about privacy of communication and the authentication of the server. Quoting from the RFC:

该keygen元素用于创建用户身份验证的密钥，而 SSL 关注通信的隐私和服务器的身份验证。引用RFC：

This specification does not specify how the private key generated is to be used. It is expected that after receiving the SignedPublicKeyAndChallenge (SPKAC) structure, the server will generate a client certificate and offer it back to the user for download; this certificate, once downloaded and stored in the key store along with the private key, can then be used to authenticate to services that use TLS and certificate authentication.

本规范未指定如何使用生成的私钥。预计服务器收到SignedPublicKeyAndChallenge（SPKAC）结构后，会生成客户端证书并提供给用户下载；该证书一旦下载并与私钥一起存储在密钥库中，就可以用于对使用 TLS 和证书身份验证的服务进行身份验证。

Deprecated

已弃用

This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible. Be aware that this feature may cease to work at any time.

此功能已从 Web 标准中删除。虽然一些浏览器可能仍然支持它，但它正在被删除。如果可能，请避免使用它并更新现有代码。请注意，此功能可能随时停止工作。

Source

来源

The doc is useful to elaborate on what is the keygen element. Its requirement arises in WebID that maybe understood to be part of Semantic Web of Linked Data as seen at https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#creating-a-certificate2.1.1

该文档有助于详细说明什么是 keygen 元素。它的要求出现在 WebID 中，可以将其理解为关联数据语义网的一部分，如https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#creating-a-证书2.1.1

This might be useful for websites that provide services, where people need to pay for the service, like video on demand, or news website for professionals like Bloomberg. With this keys people can only watch the content in their computer and not in simultaneous computers! You decide how data is stored and processed. you can specify a .asp or .php file that will receive the variables and your file will store that key in the user profile. This way your users will not be able to log in from a different computer if you want. You may force them to check their email to authorize that new computer, just like steam does. Basically it allows to individualize service access, if your licensing model is per machine, like Operating System.

这对于提供服务的网站可能很有用，在这些网站上，人们需要为服务付费，比如视频点播，或者像彭博这样的专业人士的新闻网站。使用此键，人们只能在他们的计算机上观看内容，而不能在同时使用的计算机上观看！您决定如何存储和处理数据。您可以指定将接收变量的 .asp 或 .php 文件，并且您的文件将在用户配置文件中存储该密钥。这样，如果您愿意，您的用户将无法从其他计算机登录。你可以强迫他们检查他们的电子邮件来授权那台新电脑，就像 Steam 一样。基本上它允许个性化服务访问，如果您的许可模型是每台机器，如操作系统。

You can check the specs here: http://www.w3.org/TR/html-markup/keygen.html

您可以在此处查看规格：http: //www.w3.org/TR/html-markup/keygen.html