There are five ways to generate/import and certify a key in ADSS Server for its infrastructure use:

Self-Signed Certificates

A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. The following are the steps to generate a self-signed certificate in ADSS Server.

  • Go to Key Manager > Service Keys module with appropriate purpose.
  • Generate a key pair by clicking the New button, fill in the form and click OK button to generate the key.
  • Select the newly generated key and click Certificates button.
  • Click the Create CSR/Certificate button.
  • Fill the form and select Self-Signed Certificate radio button. Click here for more details.
  • Click OK to create the certificate.
  • Configure this key in ADSS Server where required.


Generate Delegated Certificates using Locally Configured CAs

A CA can be configured in ADSS Server to generate the delegated certificates for different purposes if Manage CAs module is licensed. If the said module is licensed then follow these steps to generate a delegated certificate:

  • Go to Key Manager > Service Keys module.
  • Generate a key pair by clicking the New button, fill in the form and click OK button to generate the key.
  • Select the newly generated key and click Certificates button.
  • Click the Create CSR/Certificate button.
  • Fill the form. Click here for more details.
  • Select the radio button Use Local CA and select a CA from the drop-down using which you want to certify the key.
  • Click OK to complete the process.
  • Configure this key in ADSS Server where required.


Generate Delegated Certificates using Online External CA

An external CA can be configured in ADSS Server to generate the delegated certificates for different purposes if Manage CAs module is licensed.  In this case, target CA's URL is configured in Manage CAs > Configure External CA module. The key is generated in ADSS Server and a certificate request (PKCS#10) is sent to the CA to certify it. This key can be used for different cryptographic operations in ADSS Server. ADSS Serve supports integration with the following external CAs:

  • ADSS CA Server
  • Microsoft CA (deployed on Windows Server 2008 & 2012)
  • GlobalSign EPKI
  • EJBCA
  • QuoVadis CA

The following are the steps to generate an infrastructure key from the external CA.

  • Go to Key Manager > Service Keys module.
  • Generate a key pair by clicking the New button, fill in the form and click OK button to generate the key.
  • Select the newly generated key and click Certificates button.
  • Click the Create CSR/Certificate button.
  • Fill the form. Click here for more details.
  • Select the radio button Use External CA and select a CA from the drop-down using which you want to certify the key.
  • Click OK to complete the process.
  • Configure this key in ADSS Server where required.


Generate PKCS#10 and Certify using Offline CA

If Manage CAs module is not licensed then there is no option to certify a key in ADSS Server either using Local CA or External CA. There is another option available that you generate the key in ADSS Server and then create a certificate request (PKCS#10) and send it manually to CA to certify it. Import the certificate received from the CA against that key to use in ADSS Server. The following are the steps to generate a PKCS#10 in ADSS Server:

  • Go to Key Manager > Service Keys module.
  • Generate a key pair by clicking the New button, fill in the form and click OK button to generate the key.
  • Select the newly generated key and click Certificates button.
  • Click the Create CSR/Certificate button.
  • Fill the form. Click here for more details.
  • Select the radio button Use External CA and choose the option Offline CA in the drop down.
  • Click OK to complete the process.
  • Save the PKCS#10 on file system.


Send the generated PKCS#10 to the offline CA for certification.  When the generated certificate is received from the CA, import the certificate in ADSS Server by following these steps:

  • Go to Key Manager > Service Keys module.
  • Select above generated key and click Certificates button.
  • Select the record with Pending status and click Import Certificate button.
  • Browse the certificate received from the CA and click OK to complete the process.
  • Configure this key in ADSS Server where required.


Import Existing Key (PFX, P12 file)

If the key is already generated and certified outside the ADSS Server, you will get a .pfx/.p12 file. This file can be imported in ADSS Server by following these steps:

  • Go to Key Manager > Service Keys module.
  • Click the Import Key button.
  • Fill in the form. Click here for more details.
  • Click OK to complete the process.
  • Configure this key in ADSS Server where required.


See also

Creating New Keys
Importing Keys

Creating Certificates

5 Ways to Create Certificates