WebRA User Guide

This section in the ADSS Web RA Admin portal lists down all TLS / Server based certificate requests.

• Submit a Certificate Request based on TLS Server Auth / SDNs / DV SSL / PKCS10 (Domain Names)
• Submit a Certificate Request based on TLS DV - None (CAA Records)

Certificate Transparency (CT) Log Configuration

In the above screenshot, a Certificate Transparency (CT) log server is configured.

 

When Web RA submits a TLS server certificate request to the ADSS Server, ADSS first checks whether the “Delegate the Precertificate Logging Process to Other Entities” option is enabled for the issuing CA under the Certificate Transparency Settings.

 

If precertificate logging delegation is enabled, ADSS generates a precertificate and returns the following information to Web RA:

• Configured CT log server details
• The precertificate along with its certificate chain

At this stage, ADSS pauses the certificate issuance workflow and waits for the Signed Certificate Timestamps (SCTs).

 

Web RA then submits the received precertificate chain to the configured CT log server(s) in accordance with the Certificate Transparency process defined for publicly trusted TLS certificates.

 

The CT log server validates and logs the precertificate, and returns the SCT response. After receiving the SCTs from the CT log server(s), Web RA forwards the SCT information back to ADSS. ADSS then embeds the SCTs into the final TLS certificate and completes the certificate issuance process.

Submit a Certificate Request (TLS Server Auth / SDNs / DV SSL / PKCS10 certificate type) with Domain Names

To create a new certificate request, expand Requests > Certificate Requests from the left menu pane in the admin portal. Then click the ‘+’ button from the grid header. 

The system will display the ‘Create Request’ screen. Here, select your ‘Enterprise’ from the ‘Enterprise Name’ drop down, and select the ‘Certificate Type’. 

Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies > Requests section. 

Enabling this checkbox will allow the operator to generate a certificate on behalf of the user.

After making the required selections, click the ‘Create’ button. The system will display the Certificate Signing Request (CSR) screen.

On this screen, either upload the CSR through 'Click to upload a CSR' heperlinked option or paste the CSR in the box below.Once the CSR is uploaded, it will appear on the screen and the system will also display additional tabs in the Create Request window.

After uploading the CSR, click the '>' button to navigate to the ‘Subject Distinguished Name (SDN)' screen. 

Enter the required details on this screen as per given fields and click the next ‘>’ button to navigate to the ‘Subject Alternative Name (SAN)’ screen.

Click the next ‘>’ button to proceed to the ‘Certificate Validity’ screen. The validity period will appear in disabled form.

Click the next ‘>’ button to navigate to the ‘Ownership Verification’ screen.

The domain verification can be performed either by uploading a file or by adding a TXT Record.

Note: The action (Upload a File or TXT Record) through which domain verification can be performed is configured in the certification profile. The operator may select one or both methods for domain verification. For more details, navigate to the ‘Certification Profiles’ section.

Upload a File

Click the ‘Upload a File’ button. The system will display the ‘Upload a File’ dialog, which contains instructions on how to verify the domain using this method. 

TXT Record

Click the ‘TXT Record’ button. The system will display the ‘TXT Record’ dialog, which contains instructions on how to verify the domain using this method. 

After selecting the required method from the two mentioned above, click the 'Verify' button. If all steps are completed correctly, the ‘Verified’ status will appear for the entered domain.

After domain verification, click the ‘Generate’ button to create the certificate request. This certificate request will appear in the ‘Certificate Requests’ listing table as well.

Note: The steps mentioned above for creating a certificate request apply to the ‘DV SSL’ verification type. The same steps can be followed to generate certificate requests for ‘OV SSL’ and ‘EV SSL’ verification types.

Note: If Certification Authority Authorisation (CAA) Records is enabled from the Admin Policy Configurations or Enterprise Domain Settings, the system will perform CAA record verification in the Ownership Verification section as well. The CAA record verification row will appear below Domain Verification. If you want to see how certificate request with CAA record verification is generated, navigate to CAA Record Verification section.

DNSSEC Verification

An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.

 

If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification. You can then generate the certificate request after successful verification.

If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and certificate generation will proceed without it.

 

However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.

Open MPIC Validation

If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.

The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.

After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain.

To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.

To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.

Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.

You can view the Perspective Details and Request and Response Details by clicking the respective 'View' button.

On this screen, you will be required to enter and enter/select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 

After entering the details, click ‘Approve’. The system will then display a subscriber agreement (if configured) for this user's profile. 

When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.

Submit a Certificate Request based on TLS DV - None (CAA Records)

To create a new certificate request, expand Requests > Certificate Requests from the left menu pane in the admin portal. Then click the ‘+’ button from the grid header. 

The system will display the ‘Create Request’ screen. Here, select your ‘Enterprise’ from the ‘Enterprise Name’ drop down, and select the ‘Certificate Type’. 

Enabling this checkbox will allow the operator to generate a certificate on behalf of the user.

After making the required selections, click the ‘Create’ button. The system will display the Certificate Signing Request (CSR) screen.

On this screen, either upload the CSR through 'Click to upload a CSR' heperlinked option or paste the CSR in the box below.Once the CSR is uploaded, it will appear on the screen and the system will also display additional tabs in the Create Request window.

After uploading the CSR, click the '>' button to navigate to the ‘Subject Distinguished Name (SDN)' screen. 

Enter the required details on this screen as per given fields and click the next ‘>’ button to navigate to the ‘Subject Alternative Name (SAN)’ screen.

Click the next ‘>’ button to proceed to the ‘Certificate Validity’ screen. The validity period will appear in disabled form.

Click the next ‘>’ button to navigate to the ‘Ownership Verification’ screen. Here the 'Domain Verification Status' for 'CAA Record Verification' will appear as Unverified. 

Click the 'Verify' button.

If the CAA records you configured in the Enterprise Domain configurations matches the CA record you entered in the DNS entry, the domain Verification Status will appear Verified, as displayed below:

If the CAA records you configured in the Enterprise Domain configurations does not matche the CA record you entered in the DNS entry, the system will display an error on the screen.

To complete the verification, you will have to first update the CAA Records. After that you click the 'Verify' button again to proceed.

After successful verification, click the ‘Generate’ button to create the certificate request. After clicking ‘Generate’, the certificate will be generated and the certificate request will appear in the ‘Certificate Requests’ listing table as well.

DNSSEC Verification

An additional check for DNSSEC verification has been enabled for all certificate types in Web RA. This feature is automatically enabled in the system and adds a DNSSEC check for domain validation and Certificate Authority Authorisation (CAA) verification during certificate request creation.

 

If DNSSEC is enabled and correctly configured for the domain, the system validates the domain’s DNSSEC signature during certificate request processing. If the signature is valid and the domain verification is successful, the certificate request is processed successfully and the system displays a ‘Verified’ status for DNSSEC verification. You can generate the certificate request after successfull verification.

If DNSSEC is not enabled for the domain, DNSSEC verification will not be performed and the certificate will be generated without it.

 

However, if DNSSEC is enabled but the verification fails, the system displays an error on the screen.

Open MPIC Validation

If Open MPIC Validation is enabled in the certification profile, Open MPIC will also perform domain validation and CAA verification (if enabled in Enterprise domain settings) during certificate generation.

The domain will be verified by the Open MPIC perspectives. If the domain verification meets the minimum quorum count specified in the Open MPIC connector, the user will be able to generate the certificate. For more details about Open MPIC connector, refer to the Connectors section.

After domain verification is performed by Open MPIC, the system will display a Verified status for the specified domain.

To view the Open MPIC perspective details, click the ‘View’ button next to 'Perspective Details'. The system will display the ‘Perspective Details’ dialog on the screen.

To view the Request and Response details, click the 'View' button. The system will display the 'Request and Reponse Details' dialog. You can view both Request and Response details from their respective tabs.

Note: If Open MPIC is enabled and DNSSEC Verification fails, the error will be displayed on the screen as shown in the image below.

You can view the Perspective Details and Request and Response Details by clicking the respective 'View' button.

On this screen, you will be required to enter and enter/select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 

After entering the details, click ‘Generate’. The system will then display a subscriber agreement (if configured) for this user's profile. 

When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.