Home > Key Manager > Service Keys > Creating Certificates > Creating CSR/Certificates

Creating CSR/Certificates

Key can be certified (Delegated/Self-Signed) by clicking the Create CSR/Certificates button on the  Key Manager > Service Keys > Certificates screen as shown below:

The details are as follows:

Item Description
Key Alias
Displays the name of the key pair to be certified.
Certificate Template
Displays the purpose defined for the key pair within ADSS Server.
Certificate Alias
Defines a unique internal name for the certificate (referred to as an alias)
                        If the crypto source is Azure Key Vault HSM, then only the characters A-Z, a-z, 0-9 and hyphen "-" are supported for certificate alias

The special characters  &, <, > can not be used in Certificate Alias
Distinguish Name
Select the Distinguished Name (DN) to be entered as the Subject name of the certificate (the fields Common Name through to Serial Number).  Note, a default value for Distinguished Name can be set using the Key Manager menu item Default DName.

Note: Below RDNs only available when operator select the key purpose "TLS Server Authentication":
  1. EV-TLS Locality
  2. EV-TLS State
  3. EV-TLS Country

The special characters  
&, <, > can not be used in Certificate Common Name.

Multilingual characters are supported in Subject Distinguished Name RDNs except Email RDN.

All special characters except '$' sign can be used in Subject Distinguished Name.
Subject Alternative Name (SAN)
Provide the subject alternative name if you wish to add SAN extension in the certificate. You can add as many SANs as required by clicking the + button. rfc822Name, dNSName, iPAddress, directoryName and otherName as subject alternative name can be configured via console.

All the SANs can be configured via console by simply adding their respective values against the given fields. However in case of directoryName, click on the 'Add' button, the following screen would be displayed: 



Choose the required RDN from the drop-down list and set it's value in corresponding field respectively. For example, here we have selected 'Common Name' as our required RDN:

 

The operator can add multiple RDNs in the directoryName by clicking on the Add button.  

Note: SAN extensions must be enabled in the required certificate template in order to add these values in the certificate. If SAN extensions are not enabled in the template then the values provided in the field(s) will be discarded.
Certificate Processing Details
1. Use Local CA:
Select this radio button if the ADSS Local CA module is to generate the certificate. In this case Key Manager will automatically communicate with the ADSS Local CA and the certificate will be issued and imported within Key Manager without further manual intervention. Ensure the ADSS Server Local CA module is configured and ready to accept requests (see the Manage CAs Service module for further details).

2. Use External CA:
Use this option to use an external CA for certifying the PKCS#10. Select the CA to use from the drop-down menu. If “Offline CA” is selected then the PKCS#10 can be saved as a file. This file should be presented to the offline CA. Later, after the certificate has been generated by the required CA, it can be imported back into ADSS Server as a file using the Import Certificate button. Alternatively if a CA is configured such that ADSS Server can communicate online in an automatic way (via the ADSS Certification Service module) then these will also be shown in the drop-down menu. In this case ADSS Key Manager will send the PKCS#10 request automatically to the online CA and wait for the certificate response in a synchronous session.

Note: The relevant settings of the selected certificate template will be used to generate pkcs10 for the external CA. 

3. Create Self-Signed Certificate:
Select this radio button if it is required to generate a self-signed certificate.
Use Auto Renewal
This option is only available if you are using a Local CA module. It allows the auto-renewal of the certificate at the time of expiry of the original certificate. Note the public key remains the same as in the original cert. This is a useful option in case you want to use “short-lived” certificates but wish to avoid the overhead of generating new certificates manually.
CDP Address The CDP Address field will be available to the operator while creating a self-signed certificate and the CDP extension will also be enabled in the certificate template. 

A certificate can have multiple Relative Distinguished Names (RDNs) of the same type. You can enter as many RDNs as you want by clicking the + button after each DN text field.  Also note that the DN Serial Number field is not the certificate serial number but may be used by an organisation for any purpose (e.g. as a device serial number).

See also