Creating CSR/Certificates
Key can be certified (Delegated/Self-Signed) by clicking the Create CSR/Certificates button on the Key Manager > Service Keys > Certificates screen as shown below:
Once the the General Details of the certificate are filled, clicking on the Next Arrow (>) will display the following screen:
Once the required Certificate Details are filled, clicking on the Next Arrow (>) will display the following screen:
Once the required Subject Alternative Name Details are filled, clicking on the Next Arrow (>) will display the following screen:
Once the required details are filled, click on the Save button to save the changes.
The details of the above configurations are as follows:
Items |
Description |
||||||||||
Key Alias |
Displays the name of the key pair to be certified. |
||||||||||
Certificate Template |
Displays the purpose defined for the key pair within ADSS Server. |
||||||||||
Certificate Alias |
Defines a unique internal name for the certificate (referred to as an alias)
|
||||||||||
Distinguish Name |
Select the Distinguished Name (DN) to be entered as the Subject name of the certificate (the fields Common Name through to Serial Number). Note, a default value for Distinguished Name can be set using the Key Manager menu item Default DName. Note: If the user selects one of the following key purposes:
Then, the below RDNs will be available:
|
||||||||||
Subject Alternative Name (SAN) |
Provide the subject alternative name if you wish to add SAN extension in the certificate. You can add as many SANs as required by clicking the + button. rfc822Name, dNSName, iPAddress, directoryName and otherName as subject alternative name can be configured via console.
|
||||||||||
Certificate Processing Details |
1. Use Local CA: Select this radio button if the ADSS Local CA module is to generate the certificate. In this case Key Manager will automatically communicate with the ADSS Local CA and the certificate will be issued and imported within Key Manager without further manual intervention. Ensure the ADSS Server Local CA module is configured and ready to accept requests (see the Manage CAs Service module for further details).
Use this option to use an external CA for certifying the PKCS#10. Select the CA to use from the drop-down menu. If “Offline CA” is selected then the PKCS#10 can be saved as a file. This file should be presented to the offline CA. Later, after the certificate has been generated by the required CA, it can be imported back into ADSS Server as a file using the Import Certificate button. Alternatively if a CA is configured such that ADSS Server can communicate online in an automatic way (via the ADSS Certification Service module) then these will also be shown in the drop-down menu. In this case ADSS Key Manager will send the PKCS#10 request automatically to the online CA and wait for the certificate response in a synchronous session.
|
||||||||||
Use Auto Renewal |
This option is only available if you are using a Local CA module. It allows the auto-renewal of the certificate at the time of expiry of the original certificate. Note the public key remains the same as in the original cert. This is a useful option in case you want to use “short-lived” certificates but wish to avoid the overhead of generating new certificates manually. |
||||||||||
CDP Address |
The CDP Address field will be available to the user while creating a self-signed certificate and the CDP extension will also be enabled in the certificate template. |
A certificate can have multiple Relative Distinguished Names (RDNs) of the same type. You can enter as many RDNs as you want by clicking the + button after each DN text field. Also note that the DN Serial Number field is not the certificate serial number but may be used by an organisation for any purpose (e.g. as a device serial number). |
See also
Importing Certificates
Exporting Keys/ Certificates
Searching Certificates