S/MIME (Email) Requests
This section explains how to create certificate requests for S/MIME Certificate type in the Web RA application.
S/MIME certificate requests with Mailbox Validation
S/MIME certificate requests with Domain Validation
S/MIME certificate requests with Domain and Mailbox Validation
S/MIME certificate requests with CAA records verification
Following are a few things to remember with respect to SDNs, SANs and RDNs:
- When a user creates a new certificate request, the SDNs and SANs will be rendered as configured in the certification profile and its values will be auto-filled from the certificate details.
- A user will not be able to change the values of the RDNs if an operator has configured them in the certificate details.
- An operator will see the rendered values in a disabled form.
- If there is an RDN that is added in certification profile but has not been configured in the user's certificate details, it will be shown as editable in the request form and the user can update its value.
- If no RDN is configured in the user certificate details then the request will be generated.
- In case of an error, the user will not be allowed to move to the next step.
Second Factor Authentication
If second-factor authentication is enabled for certificate requests, the configured authentication mechanism operates accordingly. When the user clicks Generate, an authentication window appears. After the selected method is successfully verified, the certificate is generated.
The authentication mechanism can be one of the following:
- SMS OTP Authentication
- Email OTP Authentication
- Email & SMS Authentication
- SAML Authentication
- Active Directory Authentication
- Azure Active Directory Authentication
- OIDC Authentication
Request Notes
If an operator has added a customized Request Note to certificate requests for a specific enterprise, it will appear in all types of certificates requests -- issued, rekey, revoked, renewed and reissued. The Request Notes appear only on the screens against which the operator has customised them.
An operator can configure Request Notes from the Enterprise Request Notes section in the Admin portal.
S/MIME certificate requests with Mailbox validation type
The following steps describe how to create an S/MIME certificate request if Mailbox validation is enabled in the certification profile.
Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen.
Click the + button to create a new certificate request.
The create request screen will appear. On this screen, select the required ‘Certificate Type’ from the dropdown, and click ‘Create’.
The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.
Once the CSR is uploaded, it will appear in the CSR field. You can view the details of the CSR by clicking the Eye icon.
Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Review or update the information in the fields as required, then click the next ‘>’ button to proceed.
The Subject Alternative Name (SAN) screen will appear.
Enter the email address in the mandatory field. If you need to add multiple email addresses, enter each address and press Enter. Populate any other available fields as required.
After entering the information in the SAN section, click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.
Click the next '>' button to navigate to the 'Ownership Verification' screen. The system will display the 'Email Validation' section on the screen.
Note: If you enter an email address that has already been validated, the Ownership Verification screen displays a Verified status for that email address. You are not required to verify the email address again until its validation period expires, as defined by the configured Mailbox Validation Period in the Certification Profile.
Meanwhile, if you enter an email address that has not been previously validated, you must complete the ownership verification process before the certificate request can proceed.
To verify the email address, click the ‘Verify’ button in the Action column. An ‘Email Validation’ dialog will appear on the screen, and a Token will be sent to the specified email address.
Enter the token you received in your email in the ‘Token’ field, then click ‘Verify’. If the provided token is correct, the system will display the ‘Verified’ status for the email address.
After successful verification, click the ‘Generate’ button to create the certificate.
Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the Mailbox validation type is selected, the system performs both Email validation and CAA record verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.
S/MIME certificate requests with Domain Validation
The following steps describe how to create an S/MIME certificate request if Domain validation is enabled in the certification profile
Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen.
Click the + button to create a new certificate request.
The create request screen will appear. On this screen, select the required ‘Certificate Type’ from the dropdown, and click ‘Create’.
The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.
Once the CSR is uploaded, it will appear in the CSR field. You can view the details of the CSR by clicking the Eye icon.
Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Review or update the information in the fields as required, then click the next ‘>’ button to proceed.
The Subject Alternative Name (SAN) screen will appear. On this screen, the behaviour of the Domain Names (DNS) field depends on the configured Enterprise Policy settings.
If the 'Allow Only Enterprise-Approved Domains' policy is enabled in the Enterprise, the Domain Names (DNS) field is displayed as a dropdown list. In this case, users can only select an enterprise-approved domain from the available options. The dropdown list displays only active and verified domains configured for the Enterprise.
Alternatively, if the 'Assign Each Domain to a Single User' policy is enabled in the Enterprise, users can either select an enterprise-approved domain or enter a new domain in the Domain Names (DNS) field.
To select a pre-approved domain, click the Domain Names (DNS) field and select the required domain from the list. Alternatively, to enter a new domain, type the domain name in the field and press Enter.
Note: If both checkboxes are unchecked in the Enterprise Policy settings, the user can only select enterprise-approved domains when creating a certificate request. The Domain Names (DNS) field appears as a dropdown, displaying all active and verified domains in the Enterprise.
Note: You can only specify a single domain and its associated subdomains in the DNS field. If you attempt to enter a different domain, the system displays an error message and prevents you from proceeding.
After specifying the required domain name(s), enter the information in the remaining fields as per your requirements.
Note: If the Email Address field is present in the SAN, the domain of the email address must match the domain entered or selected in the DNS field.
After providing the required information in SAN, click the next ‘>’ button to proceed to the 'Certificate Validity' screen.
Click the next '>' button to navigate to the 'Ownership Verification' screen. The system will display the 'Domain Verification' section on the screen.
Note: If you selected an enterprise-approved domain in the SAN section, you are not required to perform domain validation on the Ownership Verification screen. For enterprise-approved domains, the system automatically displays a Verified status, allowing you to proceed directly with certificate generation by clicking Generate.
However, if you entered a new domain in the SAN section, you must complete the domain validation process before the certificate can be generated.
Domain verification can be performed either by uploading a file or by adding a TXT record.
Note: The action (Upload a File or TXT Record) through which domain verification can be performed is configured in the certification profile. The operator may select one or both methods for domain verification. You can use any of the method to verify your domain. For more details about how the method is selected, navigate to the ‘Certification Profiles’ section.
Upload a File
Click the ‘Upload a File’ button. The system will display the ‘Upload a File’ dialog, which contains instructions on how to verify the domain using this method.
TXT Record
Click the ‘TXT Record’ button. The system will display the ‘TXT Record’ dialog, which contains instructions on how to verify the domain using this method.
After selecting the required method from the two mentioned above, click the 'Verify' button. If all steps are completed correctly, the ‘Verified’ status will appear for the entered domain.
After the verification is complete, you can click the 'Generate' button to create the certificate request.
Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the Organisation validation type is selected, the system performs both domain verification and CAA record verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.
DNSSEC Verification
An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.
If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.
If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.
However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.
Open MPIC Validation
If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.
The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.
After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain. You can generate the certificate request after successful verification.
To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.
To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.
Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.
S/MIME certificate requests with Domain and Mailbox Validation
The following steps describe how to create an S/MIME certificate request if both Domain and Mailbox validation are selected in the certification profile.
Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen.
Click the + button to create a new certificate request.
The create request screen will appear. On this screen, select the required ‘Certificate Type’ from the dropdown, and click ‘Create’.
The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.
Once the CSR is uploaded, it will appear in the CSR field. You can view the details of the CSR by clicking the Eye icon.
Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Review or update the information in the fields as required, then click the next ‘>’ button to proceed.
The Subject Alternative Name (SAN) screen will appear. On this screen, the Domain Names (DNS) and Email Address fields are mandatory.
The behaviour of the Domain Names (DNS) field depends on the configured Enterprise Policy settings.
If the 'Allow Only Enterprise-Approved Domains' policy is enabled in the Enterprise, the Domain Names (DNS) field is displayed as a dropdown list. In this case, users can only select an enterprise-approved domain from the available options. The dropdown list displays only active and verified domains configured for the Enterprise.
Alternatively, if the 'Assign Each Domain to a Single User' policy is enabled in the Enterprise, users can either select an enterprise-approved domain or enter a new domain in the Domain Names (DNS) field.
To select a pre-approved domain, click the Domain Names (DNS) field and select the required domain from the list. Alternatively, to enter a new domain, type the domain name in the field and press Enter.
Note: If both checkboxes are unchecked in the Enterprise Policy settings, the user can only select enterprise-approved domains when creating a certificate request. The Domain Names (DNS) field appears as a dropdown, displaying all active and verified domains in the Enterprise.
Note: You can only specify a single domain and its associated subdomains in the DNS field. If you attempt to enter a different domain, the system displays an error message and prevents you from proceeding.
Enter the email address in the designated field. The domain of the email address must match the domain entered or selected in the DNS field. After specifying the domain(s) and email address, enter the information in the remaining fields as per your requirements.
After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.
Click the next '>' button to navigate to the 'Ownership Verification' screen. The system will display the Email Validation and the Domain Verification sections on the screen.
Note: If you selected an enterprise-approved domain in the SAN section, you are not required to perform domain validation on the Ownership Verification screen. For enterprise-approved domains, the system automatically displays a Verified status, allowing you to proceed directly with certificate generation by clicking Generate.
Similarly, if you enter an email address that has already been validated in the system, the Ownership Verification screen displays a Verified status for that email address. You are not required to verify the email address again until its validation period expires, as defined by the configured Mailbox Validation Period in the Certification Profile.
However, if you entered a new domain and email address in the SAN section, you must complete the email verifiaction and domain verification process before the certificate can be generated.
Email Validation
To verify the email address, click the ‘Verify’ button in the Action column. An ‘Email Validation’ dialog will appear on the screen, and a Token will be sent to the specified email address.
Enter the token you received in your email in the ‘Token’ field, then click ‘Verify’. If the provided token is correct, the system will display the ‘Verified’ status for the email address.
After verifying the email address, you must verify the domain. The steps for verifying the domain - either by uploading a file or by adding a TXT record - are provided below.
Note: The action (Upload a File or TXT Record) through which domain verification can be performed is configured in the certification profile. The operator may select one or both methods for domain verification. You can use any of the method to verify your domain. For more details about how the method is selected, navigate to the ‘Certification Profiles’ section.
Upload a File
Click the ‘Upload a File’ button. The system will display the ‘Upload a File’ dialog, which contains instructions on how to verify the domain using this method.
TXT Record
Click the ‘TXT Record’ button. The system will display the ‘TXT Record’ dialog, which contains instructions on how to verify the domain using this method.
After selecting the required method from the two mentioned above, click the 'Verify' button. If all steps are completed correctly, the ‘Verified’ status will appear for the entered domain.
After the verification is complete, you can click the 'Generate' button to create the certificate request.
DNSSEC Verification
An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.
If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.
If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.
However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.
Open MPIC Validation
If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.
The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.
After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain. You can generate the certificate request after successful verification.
To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.
To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.
Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.
Note: If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section. When CAA record verification is enabled and the Sponsor validation type is selected, the system performs email validation, domain verification and CAA record verification before generating the certificate. Ensure that the domain in the DNS and Email Address fields of the SAN are the same. If they differ, the system displays an error on the SAN screen and does not allow you to proceed. For more details, see how CAA Record Verification is performed.
If Certification Authority Authorisation (CAA) Records is enabled in the Enterprise Domain Settings, CAA record verification is required in the Ownership Verification section before the certificate is generated.
The following steps describe how CAA record verification is performed during S/MIME certificate request creation.
Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen.
Click the + button to create a new certificate request.
The create request screen will appear. On this screen, select the required ‘Certificate Type’ from the dropdown, and click ‘Create’.
The system will display the Certificate Signing Request (CSR) screen. Here, you can either upload a CSR or paste it into the ‘Paste Certificate Signing Request (CSR)’ box.
Once the CSR is uploaded, it will appear in the CSR field. You can view the details of the CSR by clicking the Eye icon.
Click the next '>' button to navigate to the 'Subject Distinguished Name (SDN)' screen. Review or update the information in the fields as required, then click the next ‘>’ button to proceed.
The Subject Alternative Name (SAN) screen will appear. Here, review or update the information in the fields as required.
Note: Ensure that the domain in the Domain Names (DNS) and Email Address fields are the same. If the domains differ, the system displays an error and does not allow you to proceed.
After completing the SAN section click the next ‘>’ button to proceed. The 'Certificate Validity' screen will appear.
Click the next '>' button to navigate to the 'Ownership Verification' screen.
The Domain Verification Status will appear unverified. Click Verify to proceed.
If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the Domain Verification Status will appear as Verified, as displayed below.
In case of Verified status, click Generate to process a certificate. The Certificate Generated confirmation message will appear, as displayed below:
Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.
The unverified domain name will appear in red text under the ‘Details’ column.
If you attempt to generate the certificate while the Domain Verification Status is ‘Unverified,’ the system will display an error dialog prompting you to verify your domain CAA records before proceeding.
Note: If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.
DNSSEC Verification
An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.
If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification.
You can generate the certificate request by clicking the 'Generate' button after successful verification.
If DNSSEC is not enabled for the domain, DNSSEC verification is not performed and certificate generation process will proceed without it.
However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.
Open MPIC Validation
If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.
The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.
After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain.
To view the Open MPIC perspective details, click the ‘View’ button. The system will display the ‘Perspective Details’ dialog on the screen.
To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.
Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.
