Is there a method for JavaScript running in a browser to determine which CA certificate is being used to authenticate the remote host for the browser's current SSL connection, and also obtain properties of that certificate, such as the name of the CA?
If not, are there any other options for programatically obtaining this information, such as ActiveX, Java, CGI on the server side, ...?
No. You could obviously do it with AJAX/ActiveX/Java/Flash/Silverlight and a custom server-side script, but I can't see why you would need this.
AFAIK not with Javascript alone. But some webservers allow you to access the connection parameters of the thread or process. A serverside script can then send those values along with the request and you use it.
I found this for nginx webserver: http://wiki.nginx.org/NginxHttpSslModule (Look at the bottom of the page for the variables). It should be possible to set them as environment variables and pass them to your FastCGI processes or whatever you use.
AOLServer/Naviserver allows similar access with the nsssl module.
JavaScript running in the web browser does not have access to the certificate information. The certificate information is also not passed through HTTP to the application. My research indicates that there is no way for the web application to determine if a man-in-the-middle attack has injected a bogus certificate somewhere between the host and client.
You can use the opensource Forge project to do this. It implements SSL/TLS in JavaScript. You can make an ajax call to the server and use a callback to inspect the certificate. Keep in mind that the server is the one sending the JavaScript so this shouldn't be used to determine whether or not you trust the server the JavaScript is from. The Forge project does allow cross-domain requests, so if you are using this for trust, you can load the Forge JavaScript from a server you already trust and then contact the server you don't yet trust. However, unless that other server provides a cross-domain policy, you will not able to perform the cross-domain request.
http://github.com/digitalbazaar/forge/blob/master/README
The blog links in the README provide more information on how Forge can be used and how it works.