Creating CSR/Certificates

Key can be certified (Delegated/Self-Signed) by clicking the Create CSR/Certificates button on the Key Manager > Service Keys > Certificates screen as shown below:

The details are as follows:

Items

Description

Key Alias

Displays the name of the key pair to be certified.

Certificate Template

Displays the purpose defined for the key pair within ADSS Server.

Certificate Alias

Defines a unique internal name for the certificate (referred to as an alias)

If the crypto source is Azure Key Vault HSM, then only the characters A-Z, a-z, 0-9 and hyphen "-" are supported for certificate alias.

The special characters &, <, > can not be used in Certificate Alias.

Distinguish Name

Select the Distinguished Name (DN) to be entered as the Subject name of the certificate (the fields Common Name through to Serial Number). Note, a default value for Distinguished Name can be set using the Key Manager menu item Default DName.

Note: If the user selects one of the following key purposes:

TLS Server Authentication
EV TLS Server Authentication
Certificate/ CRL Signing
EV Code Signing

Then, the below RDNs will be available:

EV Jurisdiction Locality.
EV Jurisdiction State.
EV Jurisdiction Country.

The special characters &, <, > can not be used in Certificate Common Name.

Multilingual characters are supported in Subject Distinguished Name RDNs except Email RDN.

The value for CA/Browser Forum Organization Identifier extension is taken from Organization Identifier when ENABLE_CA_VALIDATION_CHECK is set to TRUE in Global Settings > Advanced Settings. It's support is not provided in Certificate Templates.

The 'pseudonym' Subject Distinguished Name will only be visible when the certificate is being generated for SMIME key type.

All special characters except '$' sign can be used in Subject Distinguished Name.

Subject Alternative Name (SAN)

Provide the subject alternative name if you wish to add SAN extension in the certificate. You can add as many SANs as required by clicking the + button. rfc822Name, dNSName, iPAddress, directoryName and otherName as subject alternative name can be configured via console.

All the SANs can be configured via console by simply adding their respective values against the given fields. However in case of directoryName, click on the 'Add' button, the following screen would be displayed:

Choose the required RDN from the drop-down list and set it's value in corresponding field respectively. For example, here we have selected 'Common Name' as our required RDN:

The operator can add multiple RDNs in the directoryName by clicking on the Add button.

Note: SAN extensions must be enabled in the required certificate template in order to add these values in the certificate. If SAN extensions are not enabled in the template then the values provided in the field(s) will be discarded.

Certificate Processing Details

1. Use Local CA:

Select this radio button if the ADSS Local CA module is to generate the certificate. In this case Key Manager will automatically communicate with the ADSS Local CA and the certificate will be issued and imported within Key Manager without further manual intervention. Ensure the ADSS Server Local CA module is configured and ready to accept requests (see the Manage CAs Service module for further details).

2. Use External CA:

Use this option to use an external CA for certifying the PKCS#10. Select the CA to use from the drop-down menu. If “Offline CA” is selected then the PKCS#10 can be saved as a file. This file should be presented to the offline CA. Later, after the certificate has been generated by the required CA, it can be imported back into ADSS Server as a file using the Import Certificate button. Alternatively if a CA is configured such that ADSS Server can communicate online in an automatic way (via the ADSS Certification Service module) then these will also be shown in the drop-down menu. In this case ADSS Key Manager will send the PKCS#10 request automatically to the online CA and wait for the certificate response in a synchronous session.

Note: The relevant settings of the selected certificate template will be used to generate pkcs10 for the external CA.

3. Create Self-Signed Certificate:
Select this radio button if it is required to generate a self-signed certificate.

Use Auto Renewal

This option is only available if you are using a Local CA module. It allows the auto-renewal of the certificate at the time of expiry of the original certificate. Note the public key remains the same as in the original cert. This is a useful option in case you want to use “short-lived” certificates but wish to avoid the overhead of generating new certificates manually.

CDP Address

The CDP Address field will be available to the operator while creating a self-signed certificate and the CDP extension will also be enabled in the certificate template.

The buttons "Enable/Disable Auto Renew" and "Renew Certificate", these options are not available for Self-Signed certificates and the certificates issued by an Offline CA.

A certificate can have multiple Relative Distinguished Names (RDNs) of the same type. You can enter as many RDNs as you want by clicking the + button after each DN text field. Also note that the DN Serial Number field is not the certificate serial number but may be used by an organisation for any purpose (e.g. as a device serial number).