This section explains how to create CSR-based certificate requests in the Web RA application.



Following are a few things to remember with respect to SDNs, SANs and RDNs:


  • When a user creates a new certificate request, the SDNs and SANs will be rendered as configured in the certification profile and its values will be auto-filled from the certificate details. 


  • A user will not be able to change the values of the RDNs if an operator has configured them in the certificate details.


  • An operator will see the rendered values in a disabled form. 


  • If there is an RDN that is added in certification profile but has not been configured in the user's certificate details, it will be shown as editable in the request form and the user can update its value.


  • If no RDN is configured in the user certificate details then the request will be generated.


  • In case of an error, the user will not be allowed to move to the next step. 


Second Factor Authentication 


If second-factor authentication is enabled for certificate requests, the configured authentication mechanism operates accordingly. When the user clicks Generate, an authentication window appears. After the selected method is successfully verified, the certificate is generated.


The authentication mechanism can be one of the following:


  • SMS OTP Authentication 
  • Email OTP Authentication 
  • Email & SMS Authentication
  • SAML Authentication 
  • Active Directory Authentication 
  • Azure Active Directory Authentication
  • OIDC Authentication 


Request Notes


If an operator has added a customized Request Note to certificate requests for a specific enterprise, it will appear in all types of certificates requests -- issued, rekey, revoked, renewed and reissued. The Request Notes appear only on the screens against which the operator has customised them. 


An operator can configure Request Notes from the Enterprise Request Notes section in the Admin portal.


The following steps describe how to create a request for “$REQUEST / $PKCS10 / SDN / SAN” certificate type using CSR with vetting:


In the web portal, navigate to Certificate Center > Certificate Requests from the left menu tree.



Click on the ‘+’ plus button in the listing header to create a new certificate request. The system will display the ‘Create Request’ screen. 



On this screen, select the ‘Certificate Type’ and click ‘Create’. 


The system will display the ‘Welcome Note’ screen. 



Enable the checkbox with the text ‘I allow the use of my data for processing certificate application by (Enterprise Name)’ and click the ‘>’ next button to continue. 


Note: The Welcome Note screen will only appear if the operator has enabled customised Request Notes in the ‘Notification’ section of the Enterprise the user belongs to.


After you click ‘Next’, the system will display the ‘Certificate Signing Request (CSR)’ screen. Here, you will be required to either upload a CSR or paste the file in the given box. 



After uploading the CSR, the following screen will appear. 



You can click on the eye icon to view the details of the CSR. The details will appear in a dialog as displayed below:



You can scroll down the dialog to view the complete details inside the CSR.


Click ‘Next’ to navigate to the ‘Subject Distinguished Name (SDNs)’ screen. The SDN fields will be auto-filled according to details filled in the uploaded CSR.



After reviewing the information, click ‘Next’. The ‘Subject Alternative Name (SANs)’ screen will appear.


It contains the following fields:


  • DNS Name
  • IP Address
  • Email Address 


In the ‘Other Name’ section, the following fields will appear:


  • OID 
  • Value 
  • Encoding


Note: If Email Validation checkbox is enabled in Configurations module and email address is present in the RFC822Name field of the Subject Alternative Names (SAN), the ownership verification screen will require you to complete email validation before generating the certificate. 



Click ‘Next’ to navigate to the ‘Certificate Validity’ screen.


The validity period will appear in the disabled form. Click 'Generate' to create the certificate.



After clicking ‘Generate’, the system will display a subscriber agreement. 


Note: The Subscriber Agreement dialog will only appear if the settings have been configured with this user profile. 


Click ‘I Agree’ to proceed. 



The system will generate the certificate and download it in your computer. You can find the certificate in the 'Downloads' folder on your computer. The certificate request will also be displayed in the 'Certificate Requests' listing.



If you close the 'Certificate Generated' window, the following screen will appear. 



On this screen, you will have the option to download, provision the certificate, or revoke the certificate using the respective buttons. You can also click the 'More Actions' button to perform additional actions (such as rekeying the certificate) if required.  


When you click on Provision, the Provision dialog will appear on the screen.



Choose the required option from the 'Provision' dropdown and click the Provision button. The certificate will then be provisioned.

When you click the 'Download' button, the 'Download Certificate' dialog appears. From this dialog, you can choose to download either the certificate only or the certificate PFX.



If you click on the 'Download Certificate PFX' radio button, the dialog will display Password and Confirm Password fields. Type in the required password and click 'OK'.


Note: If ‘Enable one-time PFX download” option is enabled in the Certification Profile, the PFX can only be downloaded once. If the option is disabled, the PFX can be downloaded multiple times.

When you click the 'Revoke Certificate' button, the 'Certificate Action' screen appears. On this screen, you must select a reason for revoking the certificate from the 'Certificate Revocation Reason' dropdown and, if required, a message in the optional message box. 

Before revoking a certificate, you must select the 'Are you sure you want to revoke this certificate' checkbox. Then, click 'Revoke' to proceed with the revocation. 


The following steps describe how to create a certificate request for “TLS using CSR with CV as None (CAA Records)” certificate type.


In the web portal, expand the ‘Certificate Center’ tab from the left menu pane and click on the ‘Certificate Requests’ option. 



Click on the ‘+’ plus button in the listing header to create a new certificate request. The system will display the ‘Create Request’ screen. 



On this screen, select the ‘Certificate Type’ from the given dropdown field and click ‘Create’. 


The system will display the ‘Welcome Note’ screen.



Enable the checkbox with the text ‘I allow the use of my data for processing certificate application by (Enterprise Name)’ and click the ‘>’ next button to continue. 


Note: The Welcome Note screen will only appear if the operator has enabled customised Request Notes in the ‘Notification’ section of the Enterprise the user belongs to.


After you click ‘Next’, the system will display the ‘Certificate Signing Request (CSR)’ screen. Here, you will be required to either upload a CSR or paste the file in the given box. 



After uploading the CSR, the following screen will appear. 



Click the next ‘>’ button to navigate to the Subject Distinguished Name (SDN)’ screen.



The SDN fields will be auto-filled according to details filled in the uploaded CSR. After reviewing the information click the next button to navigate to the ‘Subject Alternative Name (SAN)’ screen.



Review and update the information in this screen as required. Then click ‘>’ to proceed to the next section.


Note: If Email Validation checkbox is enabled in Configurations module and email address is present in the RFC822Name field of the Subject Alternative Names (SAN), the ownership verification screen will require you to complete email validation before generating the certificate. 



The ‘Certificate Validity’ screen will appear. The validity period will be displayed in a disabled form. 


Click the next button to navigate to the ‘Ownership Verification’ screen.



The ‘Domain Verification Status’ will appear unverified. Click the ‘Verify’ button.


If the CAA records you configured in the Enterprise Domain configurations matches the CA record you entered in the DNS entry, the Domain Verification Status will appear Verified, as displayed below:



If the CAA records you configured in the Enterprise Domain configurations does not match the CA record you entered in the DNS entry, the domain Verification Status will appear Unverified, as displayed below:



In case of Verified, click Generate to process a certificate. The Certificate Generated confirmation message will appear, as displayed below:



DNSSEC Verification


An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.

 

If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.



If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.

 

However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.