Introduction


Certificate Signing Request (CSR) verification settings enables you to verify the key ownership, signature algorithm, strength of key exponents & modulus, Debian weak key, key lengths and key reuse while creating a CSR certificate on user's portal.


How it Works?

  1. To setup CSR validation policies, click on Enable CSR Validation, this will show up few more options to configure as validation policy including Key Ownership, Signature Algorithm, Public Key Exponent & Modulus, Debian Weak Key, Public Key Reuse and Key Length.
  2. On selection of one of the above configurations, that particular validation policy will be verified at the time of CSR generation. If one of the policies are not fulfil then the certificate generation request cannot be completed.

These validation policies once applied, will be applicable across all application, and will validate these upon creation of CSR.


Enable CSR (Create Signing Request) Validation


To configure CSR validation policies, follow these steps:


  1. Click on verify the key ownership to verify if the private key is in possession of the user who requested the certificate, at the time of CSR generation.
  2. Click on verify the signature algorithms to verify the signature algorithms must be either RSA or ECDSA.
  3. Click on verify the public key contains valid public exponent and modulus to verify if modulus and public exponent validation is based on [NIST SP 800-89].
  4. Click on verify that Debian weak keys are not used to validate if the CSR keys are not generated using Debian Weak keys. Debian weak keys are generated because of a bug introduced in openSSL package in 2006. The bug was founded in 2008. All keys generated within that period are vulnerable and should not be used.
  5. Click on verify the public key is not used to validate if the public key is not used in previously submitted requests, issued, created or revoked certificates.
  6. Click on verify key length to validate if the key length is among the allowed list of key lengths against the algorithm used in the CSR.

1) CSR Validation policies only validates when Enable CSR Validation is set.

2) When one of the above CSR validation policies is configured in Web RA admin, it validates these policies while approving a certificate request from Web RA user's portal. If one of the CSR validation policies does not meet the criteria at the time of certificate request approval, enterprise RAO can decline the request by adding a declining reason.

3) If one of the validation policies does not meet, it appears on decline reason dialog as a declining reason. Furthermore, RAO can not proceed further to navigate on next screen.

4) If no validation policies failed, RAO can still decline a certificate request but there is no validation policy appears as a declining reason on decline dialog. A custom reason can be added though.

5) CSR based validation only applies on those certificate requests where either a CSR is imported by the user, or a certificate request created using a PKCS#10, USB/Smart Card Tokens, request for  Go> Sign using MSCAPI.


Certificate Policy


This setting enables you to renew your certificate, in case of renewing your certificate, the new expiry date will be updated.