Certificate Center

Introduction

Certificate Center is a central location that provides a complete list of all the certificate requests, and provides the capability to manage all certificates keys. This certificate can be used for multiple purposes including document signing, remote authorization signing etc. Certificate request can be for Issuance/approval, renewal and revocation.

How it Works?

You can create a certificate request, using icon on top right. Select a purpose and certificate usage as per requirement. Provide all the required information for certificate generation (i.e. Subject Distinguished Name, Subject Alternative Name etc.) depending upon the selected certificate type.
A certificate request once created, will appear in Draft state (if the request not yet completed). Click on icon and select Edit option to complete a certificate request. Once a request completed, it will be shown as Approved under certificate requests list.
A certificate information can be viewed or downloaded from Certificate Requests list. Click icon and select View or Download option. on view a dialog will appear to show certificate related information and on download it show a dialog to save certificate.
Certificate renewal or revocation requests can be generated from Issued Certificates list. Click on icon and select Renew or Revoke option accordingly. A dialog will appear for confirmation, upon confirmation next dialog will appear where you can add a message to renew or revoke certificate.

One Time password (OTP) can be set as authentication at the time of request submission for certificate issuance, renewal and revocation, based on certificate criticality. See details in External Services > Connectors> SMS Gateway.

Create Certificate Requests

If you want to create a certificate request, then follow these steps:

You can create a certificate request, using icon on top right.
Provide all the required information, as required by RA (Registration Authority) to complete vetting process.
Select validity period (if allowed by Admin RAO) for the certificate.
Email notification will be sent to RA (Registration Authority) for request approval.

1) Submitted request will be available in Certificate Center > Certificate Requests with Pending status, or will be in Approved status if no vetting required by Enterprise RAO.

2) CSR Validation policies only validates when Enable CSR Validation is set under Web RA Admin> Configurations > Policy

3) When one of the CSR validation policies is configured in Web RA admin, it validates these policies while approving a certificate request. If one of the CSR validation policies does not meet the criteria at the time of certificate request approval, enterprise RAO can decline the request by adding a declining reason.

4) If one of the validation policies does not meet, it appears on decline reason dialog as a declining reason. Furthermore, RAO can not proceed further to navigate on next screen.

5) If no validation policies failed, RAO can still decline a certificate request but there is no validation policy appears as a declining reason on decline dialog. A custom reason can be added though.

6) CSR based validation only applies on those certificate requests where either a CSR is imported by the user, or a certificate request created using a PKCS#10, USB/Smart Card Tokens, request for Go> Sign using MSCAPI

7) While creating a certificate request, if you have $REQUEST selected as a certificate type in case of CSR or if your certification service profile (in case of server side certificate) that contains any Relative Distinguished Names (RDNs) with a $ symbol and it is set as overridable, then your Subject Distinguished Name (SDN) parameters will not be shown as mandatory but can be edited.

8) The request created using the profile where Enable client keys is checked user / operator have the option to upload CSR and change the value of their RDN’s except organization.

All the certificate requests related to the user will be listed here. See the following table for the column headers description:

Field	Description
Request No	This column displays the unique auto generated request number against each certificate request. Click on it to view the details of the certificate request.
Request Type	This column displays the type of each certificate request, i.e. Server Based, CSR Based, or Smartcard/ Token based. etc Server Based: A certificate request that is sent/ created to issue the signing keys for a user that can be kept on the server, i.e. server-side certificate. A server certificate is basically used to identify a server, and allows locked and safe connections from a web server to a browser. CSR Based: A certificate request that is sent/ created to issue a Certificate Signing Request (CSR) based certificate for a user. A Certificate Signing Request (CSR) is an encoded text block that a user (applicant) sends to a Certification Authority to issue them a digital certificate. It is comprised of information that needs to be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. Smartcard/ Token Based: A certificate request that is sent/ created to issue the signing keys for a user that can be kept inside a user-held smart card or token, i.e. local/ client certificate. A local/ client certificate is used to identify a client to a respective user, which means authenticating the client to the server. It is a variant of a digital certificate that is widely used by the clients to make the systems authenticated so that trusted requests should go to a remote server. Device Based: A certificate request that is sent/ created to issue the signing keys for a device registered by user that can be kept inside a user device, e.g CISCO router certificate. A device based certificate is used to identify a device authenticating the device to the server. Certificate With Server Held Keys Remote Authorization: A certificate request that is sent/ created to issue the signing keys for a user that can be kept inside HSM. Certificate authorise a remote signature (done on server) using your registered mobile device(s).
Certificate Type	This column displays the purpose/ type of each requested certificate, i.e. Document Signing etc.
Status	This column displays the current status of each certificate request, i.e. Approved, Declined, or Pending. It also shows the date on which the request status was put up. Approved: A certificate request that has been sanctioned by RA (Registration Authority). The approved requests imply that the certificates have been issued/ revoked/ renewed against them. Declined: A certificate request that has been turned down by RA (Registration Authority). The declined requests imply that the certificates issuance has been refused against them. Pending: A certificate request that has not been processed by RA (Registration Authority) as yet. The pending requests imply that the RA (Registration Authority) need to review the vetting details and take appropriate actions (i.e. Approve or Decline) against them. Draft: A certificate request that has been created but not processed by user yet. The draft requests imply that the user needs to fill the vetting details and take appropriate actions (i.e. Create, Submit) against them.

1) Certificate will be generated on approval of request. An email and on screen notification will be received to user on approval.

2) An optional message can be added while approving a certificate request, which later also shows under email notification body against certificate approval email. For auto approval this option doesn't show, whereas in case of dual control the message only receives to user once the second reviewer approves a certificate request.

View Issued Certificates

Once a certificate is approved, it will be shown under Certificate Center > Issued Certificates list with Issued status. See following table for the each column header details.

Field	Description
Request No	This column displays the unique auto generated request number against each certificate request. Click on it to view the details of the certificate request.
Full Name	This column displays the full name of each certificate including serial number of certificate.
Certificate Type	This column displays the purpose/ type of each requested certificate, i.e. Document Signing, TLS Server Certificate, etc.
Status	This column displays the current status of each certificate, i.e. Issued, Revoked, or Expired. Issued: A certificate that has been issued or renewed by RA (Registration Authority). These are the usable certificates. Revoked: A certificate that has been revoked/ cancelled by RA (Registration Authority). The revoked certificates cannot be used by the users. Expired: A certificate that has been expired as per its configured time period. The expired certificates cannot be used by the users till they are renewed. Pending Renewal: A certificate request for renewal has been sent to RA (Registration Authority). Pending Revocation: A certificate request for revocation has been sent to RA (Registration Authority).
Expiry Date	This column displays the date of each certificate on which they will expire.

Certificate Renewal Requests

Click Certificate Center > Issued Certificates from the left menu.
Search the certificate for which renewal is required and click adjacent to it from the main grid and select Renew.
A confirmation message will appear. Click YES.
Provide the information required by RA (Registration Authority) for renewal process.
Click RENEW button.
Request will be submitted to RA (Registration Authority) for renew certificate.
Email Notification will be sent to RA (Registration Authority) for renewal request approval.
Submitted request will be viewed in Certificate Center > Renewal Requests with Pending status.
Certificate will be renewed on approval of request. You will receive an email and on screen notification.
Request status will be changed to Approved and certificate with status Issued will be available in Certificate Center > Issued Certificates list.

Certificate status under Issued Certificates list will remain as Pending Renewal until request approved by enterprise RAO.
Revoke certificate with approved status from the User Portal without sending request to admin in case of 'no vetting'.

Certificate Revocation Requests

Click Certificate Center > Issued Certificates from the left menu.
Search the certificate for which revocation is required and click adjacent to it from the main grid and select Revoke.
A confirmation message will appear. Click YES.
Provide the information required by RA (Registration Authority) for revocation process.
Click REVOKE button.
Request will be submitted to RA (Registration Authority) for revoke certificate.
Email Notification will be sent to RA (Registration Authority) for revocation approval request.
Certificate will be revoked on approval of request. You will receive an email and on screen notification.
Request status will be changed to Approved and certificate with status Revoked will be available in Certificate Center > Issued Certificates list.

Certificate status under Issued Certificates list will remain as Pending Revocation until request approved by enterprise RAO.

Access Control Information

There are some certain rules that will be followed while managing or viewing certificates requests list and it's related information. These rules are based on the user's type which includes Enterprise RAOs, Admin RAOs or Administrators.

Roles	Allowed Features
Enterprise RAO	A user registered by the enterprise RAO, can only view the certification profiles that are meant to be for enterprise RAOs only i.e. Admin RAO vetting is set as disabled for allowed profiles in service plan. Security validations will be validated for an enterprise RAO while creating a request from Certification Center, Virtual ID, Desktop Signing, Device Enrollment or SigningHub Integration. All the above rules and validations are also applicable in case of RESTful APIs.
Admin RAO	A user with an admin RAO role can view all the profiles regardless of any configurations. Security validations will be validated for an admin RAO while creating a request from Certification Center, Virtual ID, Desktop Signing, Device Enrollment or SigningHub Integration. All the above rules and validations are also applicable in case of RESTful APIs.
Administrators	Administrators can view or manage all certificates requests and it’s related information