WebRA User Guide

This section explains how to create certificate requests for S/MIME Certificate type in the Web RA application.

S/MIME certificate requests with None validation type

S/MIME certificate requests with Mailbox validation type

S/MIME certificate requests with Organisation validation type

S/MIME certificate requests with Sponsor validation type

S/MIME certificate requests with CAA records verification

S/MIME certificate requests with None validation type

The following steps describe how to create an S/MIME certificate request with the None validation type.

Expand Requests > Certificate Requests from the Admin portal to navigate to the Certificate Requests listing screen. 

Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.

The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.

Once the CSR is uploaded, the following screen will be displayed.

You can click the Eys icon to see the details of the uploaded CSR. It contains all the SDNs, SANs, etc.

Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Here, review or update the information in the fields as required, then click the next ‘>’ button to proceed. 

The Subject Alternative Name (SAN) screen will appear. Here, review or update the information in the fields as required.

After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear. 

Click the 'Generate' button to create the certificate. The certificate will be created and the system will display the 'Certificate generated' alert on the screen.

Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the None validation type is selected, the system performs only CAA verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.

S/MIME certificate requests with Mailbox validation type

The following steps describe how to create an S/MIME certificate request with the Mailbox validation type.

0Expand Requests > Certificate Requests from the Admin portal to navigate to the Certificate Requests listing screen. 

Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.

The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.

Once the CSR is uploaded, it will appear in the CSR field. You can view the details of the CSR by clicking the Eye icon. It contains all the SDNs, SANs, etc.

Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Here, review or update the information in the fields as required, then click the next ‘>’ button to proceed. 

The Subject Alternative Name (SAN) screen will appear. Here, review or update the information in the fields as required.

After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.

Click the next '>' button to navigate to the 'Ownership Verification' screen. The system will display the 'Email Validation' section on the screen. If the ‘Mailbox’ validation type is configured in the certification profile, email verification would be required in the Ownership Verification screen.

 

To verify the email address, click the ‘Verify’ button in the Action column. An ‘Email Validation’ dialog will appear on the screen, and a Token will be sent to the specified email address. 

Enter the token you received in your email in the ‘Token’ field, then click ‘Verify’. If the provided token is correct, the system will display the ‘Verified’ status for the email address.

After successful verification, click the ‘Generate’ button to create the certificate. The system will create the certificate and display the 'Certificate generated' alert on the screen.

Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the Mailbox validation type is selected, the system performs both Email validation and CAA record verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.

S/MIME certificate requests with Organisation validation type

The following steps describe how to create an S/MIME certificate request with the Mailbox validation type.

Expand Requests > Certificate Requests from the Admin portal to navigate to the Certificate Requests listing screen. 

Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.

The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.

Once the CSR is uploaded, it will appear in the CSR field. 

You can view the details of the CSR by clicking the Eye icon. It contains all the SDNs, SANs, etc.

Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Here, review or update the information in the fields as required, then click the next ‘>’ button to proceed. 

The Subject Alternative Name (SAN) screen will appear. Here, review or update the information in the fields as required.

Note: If the Domain Names (DNS) field is present in the SAN, ensure that the domain in the DNS and Email Address fields are the same. If the domains differ, the system displays an error and does not allow you to proceed.

After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.

Click the next '>' button to navigate to the 'Ownership Verification' screen. The system will display the 'Domain Verification' section on the screen. If the ‘Organisation’ validation type is configured in the certification profile, the ownership verification screen will require you to complete domain verification. 

For domain verification, the system extracts the organisation domain from the email address in the RFC822Name field. If the Domain Names (DNS) field is present in the SAN, the system matches the domain in the DNS field with the domain in the RFC822Name field. The system will match the domain in the SAN section, as mentioned in the steps above.

Domain verification can be performed either by uploading a file or by adding a TXT record. 

Note: The action (Upload a File or TXT Record) through which domain verification can be performed is configured in the certification profile. The operator may select one or both methods for domain verification. You can use any of the method to verify your domain. For more details about how the method is selected, navigate to the ‘Certification Profiles’ section.

Upload a File

Click the ‘Upload a File’ button. The system will display the ‘Upload a File’ dialog, which contains instructions on how to verify the domain using this method. 

TXT Record

Click the ‘TXT Record’ button. The system will display the ‘TXT Record’ dialog, which contains instructions on how to verify the domain using this method. 

After selecting the required method from the two mentioned above, click the 'Verify' button. If all steps are completed correctly, the ‘Verified’ status will appear for the entered domain. You can then generate the certificate by clicking the 'Generate' button. 

Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the Organisation validation type is selected, the system performs both domain verification and CAA record verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.

DNSSEC Verification

An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.

 

If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.

If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.

 

However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.

Open MPIC Validation

If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.

The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.

After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain.

To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.

To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.

Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.

S/MIME certificate requests with Sponsor validation type

The following steps describe how to create an S/MIME certificate request with the Sponsor validation type.

Expand Requests > Certificate Requests from the Admin portal to navigate to the Certificate Requests listing screen. 

Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.

The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.

Once the CSR is uploaded, it will appear in the CSR field. 

You can view the details of the CSR by clicking the Eye icon. It contains all the SDNs, SANs, etc.

Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Here, review or update the information in the fields as required, then click the next ‘>’ button to proceed. 

The Subject Alternative Name (SAN) screen will appear. Here, review or update the information in the fields as required.

Note: If the Domain Names (DNS) field is present in the SAN, ensure that the domain in the DNS and Email Address fields are the same. If the domains differ, the system displays an error and does not allow you to proceed.

After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.

Click the next '>' button to navigate to the 'Ownership Verification' screen. The system will display the Email Validation and the Domain Verification sections on the screen. If the ‘Sponsor’ validation type is configured in the certification profile, the ownership verification screen will require you to complete both verifications before generating the certificate.

Email Validation

To verify the email address, click the ‘Verify’ button in the Action column. An ‘Email Validation’ dialog will appear on the screen, and a Token will be sent to the specified email address. 

Enter the token you received in your email in the ‘Token’ field, then click ‘Verify’. If the provided token is correct, the system will display the ‘Verified’ status for the email address.

After verifying the email address, you must verify the domain. 

For domain verification, the system extracts the organisation domain from the email address in the RFC822Name field. If the Domain Names (DNS) field is present in the SAN, the system matches the domain in the DNS field with the domain in the RFC822Name field. The system will match the domain in the SAN section, as mentioned in the steps above.

Domain verification can be performed either by uploading a file or by adding a TXT record. 

Note: The action (Upload a File or TXT Record) through which domain verification can be performed is configured in the certification profile. The operator may select one or both methods for domain verification. You can use any of the method to verify your domain. For more details about how the method is selected, navigate to the ‘Certification Profiles’ section.

Upload a File

Click the ‘Upload a File’ button. The system will display the ‘Upload a File’ dialog, which contains instructions on how to verify the domain using this method. 

TXT Record

Click the ‘TXT Record’ button. The system will display the ‘TXT Record’ dialog, which contains instructions on how to verify the domain using this method.

After selecting the required method from the two mentioned above, click the 'Verify' button. If all steps are completed correctly, the ‘Verified’ status will appear for the entered domain.

After the verification is complete you can click the 'Generate' button to create the certificate request.

Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the Sponsor validation type is selected, the system performs email validation, domain verification and CAA record verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.

DNSSEC Verification

An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.

 

If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.

If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.

 

However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.

Open MPIC Validation

If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.

The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.

After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain.

To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.

To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.

Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.

CAA Record Verification

If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. 

The following steps describe how CAA record verification is performed during S/MIME certificate request creation.

Expand Requests > Certificate Requests from the Admin portal to navigate to the Certificate Requests listing screen. 

Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.

The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.

Once the CSR is uploaded, it will appear in the CSR field. You can view the details of the CSR by clicking the Eye icon.

Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Review or update the information in the fields as required, then click the next ‘>’ button to proceed.

The Subject Alternative Name (SAN) screen will appear. Here, review or update the information in the fields as required.

After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.

Click the next '>' button to navigate to the 'Ownership Verification' screen. 

The Domain Verification Status will appear 'Unverified'. Click 'Verify' to proceed.

If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the Domain Verification Status will appear as Verified, as displayed below.

In case of Verified status, click 'Generate' to process a certificate. The certificate will be generated and downloaded in your computer. 

Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match with the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.

The unverified domain name will appear in red text under the ‘Details’ column.

If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

DNSSEC Verification

An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.

 

If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.

If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.

 

However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.

Open MPIC Validation

If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.

The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.

After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain.

To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.

To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.

Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.

On the 'User Information' screen, you will be required to enter/select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 

After entering the details, click ‘Approve’. The system will then display a subscriber agreement configured for this user's profile. 

When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.