ADSS Admin Guide

Items

Description

Key Alias

Displays the name of the key pair to be certified.

Certificate Template

Displays the purpose defined for the key pair within ADSS Server.

Certificate Alias

Defines a unique internal name for the certificate (referred to as an alias)

Distinguish Name

Select the Distinguished Name (DN) to be entered as the Subject name of the certificate (the fields Common Name through to Serial Number).  Note, a default value for Distinguished Name can be set using the Key Manager menu item Default DName.

Note: Below RDNs only available when operator select the key purpose "TLS Server Authentication":

1. EV-TLS Locality.
2. EV-TLS State.
3. EV-TLS Country.

Subject Alternative Name (SAN)

Provide the subject alternative name if you wish to add SAN extension in the certificate. You can add as many SANs as required by clicking the + button. rfc822Name, dNSName, iPAddress, directoryName and otherName as subject alternative name can be configured via console.

Note: SAN extensions must be enabled in the required certificate template in order to add these values in the certificate. If SAN extensions are not enabled in the template then the values provided in the field(s) will be discarded.

Certificate Processing Details

1. Use Local CA:

Select this radio button if the ADSS Local CA module is to generate the certificate. In this case Key Manager will automatically communicate with the ADSS Local CA and the certificate will be issued and imported within Key Manager without further manual intervention. Ensure the ADSS Server Local CA module is configured and ready to accept requests (see the Manage CAs Service module for further details).

2. Use External CA:

Use this option to use an external CA for certifying the PKCS#10. Select the CA to use from the drop-down menu. If “Offline CA” is selected then the PKCS#10 can be saved as a file. This file should be presented to the offline CA. Later, after the certificate has been generated by the required CA, it can be imported back into ADSS Server as a file using the Import Certificate button. Alternatively if a CA is configured such that ADSS Server can communicate online in an automatic way (via the ADSS Certification Service module) then these will also be shown in the drop-down menu. In this case ADSS Key Manager will send the PKCS#10 request automatically to the online CA and wait for the certificate response in a synchronous session.

Note: The relevant settings of the selected certificate template will be used to generate pkcs10 for the external CA. 

3. Create Self-Signed Certificate:
Select this radio button if it is required to generate a self-signed certificate.

Use Auto Renewal

This option is only available if you are using a Local CA module. It allows the auto-renewal of the certificate at the time of expiry of the original certificate. Note the public key remains the same as in the original cert. This is a useful option in case you want to use “short-lived” certificates but wish to avoid the overhead of generating new certificates manually.

CDP Address

The CDP Address field will be available to the operator while creating a self-signed certificate and the CDP extension will also be enabled in the certificate template. 

The buttons "Enable/Disable Auto Renew" and "Renew Certificate", these options are not available for Self-Signed certificates and the certificates issued by an Offline CA.

A certificate can have multiple Relative Distinguished Names (RDNs) of the same type. You can enter as many RDNs as you want by clicking the + button after each DN text field.  Also note that the DN Serial Number field is not the certificate serial number but may be used by an organisation for any purpose (e.g. as a device serial number).