This section in the ADSS Web RA admin portal lists down all types of certificate requests, whether they are pending approval, in review or approved. 


  1. Submit a Certificate Request based on client authentication with CSR.
  2. Submit a Certificate Request based on TLS Server Auth / SDNs / DV SSL / PKCS10 (Domain Names)
  3. Submit a Certificate Request based on TLS DV - None (CAA Records)
  4. Submit a Certificate Request based on Email Signing using CSR
  5. Submit a Certificate Request based on Go>Sign Desktop Profile


Expand Requests > Certificate Requests from the left menu pane. The certificate requests listing will appear. 


Search and Advanced Search


Users can search for specific certificate(s) in the listing using the search bar. 


Furthermore, the "Advanced Search" feature is also available for more targeted searches.


It allows users to perform detailed and refined searches within the certificate requests section. By applying specific filters and criteria, users can quickly find the certificates they want to view.


To access the advanced search, click on the ‘Advanced Search’ icon next to the search box. 


This will open the ‘Search’ dialog, which contains more than a dozen filters that allow users to refine their search results based on specific criteria.



After applying the required filters, click the ‘Search’ button.


The listing section will display the certificates based on your applied filters.



On this screen, users have the option to save the search criteria, modify it, or clear the criteria to view all certificates in the listing again.


Modify Columns


Users have the option to modify the columns in the listing. To do that, click thebutton present on the extreme right of the table header.



Click on the ‘Modify Columns’ option to edit the listing column entries. This will open a ‘Modify Columns’ dialog.



Click on the ‘Column’ dropdown to add more columns in the listing.



Scroll down the list to view the available options. Check the boxes for the options you want to view in the listing. The selected options will then appear in the ‘Column’ box.



To remove any selected option, click on the cross present next to the column entry.


After selecting the required options, click the ‘Apply’ button to view the changes in the table listing. Click the ‘Apply and Save’ button to permanently save the changes in the table.


Users can also change the order in which columns appear in the listing table. To do this, first, remove all the selected options. Then, select the options from the dropdown one by one in the exact order you want them to appear in the listing table.


The 'Reset to Default' button will revert the column entries to their default settings.


Note: The Request By section will display Citizen ID below the username if it is enabled in the Configurations > Default Settings.


Submit a Certificate Request (Client Authentication with CSR certificate type)


  1. Expand Requests > Certificate Requests from the left menu pane, and then click   from the grid header.



  1. Select your Enterprise Name from the drop down, then select the Certificate Type, set the Validity Period and click Create. 



Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies > Requests section. 


Enabling this checkbox will allow the operator to generate a certificate on behalf of the user. 



  1. The Welcome Note screen will appear.



The welcome note will appear, select the checkbox I allow the use of my data for processing certificate application by Enterprise Name and click next. 


  1. The second screen appearing will be requesting you to either upload a CSR or paste one below.


A customised text will appear here, if added in the admin portal. Once you upload the file or paste the CSR, click next to proceed.



You can click the view icon button, to see the CSR. It contains all the SDNs, SANs, etc. 



Scroll down to see the CSR in detail. 



ADSS Web RA Server supports the following attributes in a CSR:

  • Common Name
  • First Name
  • Last Name
  • Title
  • Organisation Unit
  • Organisation Identifier
  • Email
  • Locality
  • Street Address
  • State
  • Postal Code
  • Country
  • Subject Serial Number
  • Business Category
  • DNS Name
  • IP Address
  • Email Address
  • Other Name
  • Public Key
  • Public Key Algorithm
  • Public Key Length
  • Signature
  • Signature Algorithm
  • Version
  • Key Size
  • Fingerprint (SHA-1)
  • Fingerprint (MD5)
  • SANS

ADSS Web RA Server does not supports the following attributes in a CSR:

  • Exponent
  • Certificate Extensions 
  • Key Id Hash(rfc-sha1)
  • Key Id Hash(sha1)
  • Key Id Hash(bcrypt-sha1)
  • Key Id Hash(bcrypt-sha256)


  1. Click next, the Subject Distinguished Name (SDN) screen will appear.

The customised request note will appear, if it is added. Then, the SDN fields will be auto-filled as per CSR. 



  1. The Subject Alternative Name (SAN) screen will appear.

The customised request note will appear, if it is added. 


The SDN screen contains the following fields:

  • DNS Name
  • IP Address
  • Email Address 
  • Other Name:
    • OID 
    • Value 
    • Encoding 
    • Other Name


In case of no SDNs are added, the following screen will appear. 



  1. The Certificate Validity screen will appear. 

Here, the customised request note will appear, if it is added in request notes. 


Then you can set the validity period. 

Click Generate to proceed. 



  1. The subscriber agreement configured with this user's profile will be displayed. Click I Agree to proceed. 



  1. Certificate Generated.



  1. This request will be displayed in the certificate requests listing. 


Note: If the ‘Generate a certificate on behalf of the user’ checkbox is enabled, the system will display an additional screen titled ‘User Information’ next to the Certificate Validity screen.



On this screen, you will be required to enter and select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 


After entering the details, click ‘Approve’. The system will then display a subscriber agreement (if configured) for this user's profile. 


When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.


Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate. 


If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation.


Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.



Submit a Certificate Request (TLS Server Auth / SDNs / DV SSL / PKCS10 certificate type) with Domain Names


  1. Expand Requests > Certificate Requests from the left menu pane, and then click   from the grid header.



  1. Select your Enterprise Name from the drop down, then select the Certificate Type, set the Validity Period and click Create. 



Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies section. 


Enabling this checkbox will allow the operator to generate a certificate on behalf of the user. 



  1. The upload a CSR screen will appear. Once you upload the file or paste the CSR, click next to proceed.



  1. Click next, the Subject Distinguished Name (SDN) screen will appear. The SDN fields will be auto-filled as per CSR. Click >.



  1. The Subject Alternative Name (SAN) screen will appear. Click >.



  1. The Certificate Validity screen will appear. Click >. 



  1. The Vetting Form screen will appear. Click >. 



  1. The Domain Ownership Verification screen will appear. You can click upload a file or Txt record.



  1. Under the Domain Ownership Verification stepper, the upload a file window will appear. 
    1. Here you can download the verification file from the link and upload it to your domain's root directory. 
    2. Then click Verify to see if the domain is verified. 

The domain URL appears in a disabled form (which you have set in the enterprise advance settings from the ADSS Web RA admin portal).




  1. The verification status will appear as follows:



Note: If the ‘Generate a certificate on behalf of the user’ checkbox is enabled, the system will display an additional screen titled ‘User Information’ next to the Certificate Validity screen.



On the 'User Information' screen, you will be required to enter and select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 


After entering the details, click ‘Generate’. The system will then display a subscriber agreement configured for this user's profile. 


When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.


Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate. 


If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation.


Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.



You can perform a number of actions such as view certificate, download it, revoke the certificate (More Actions) or close it. 

1) CSR Validation policies only validate when Enable CSR Validation is set under Configurations > Policy.

2) When one of the CSR validation policies is configured in ADSS Web RA Admin, it validates these policies while approving a certificate request. If one of the CSR validation policies does not meet the criteria at the time of certificate request approval, enterprise RAO can decline the request by adding a declining reason.

3) If one of the validation policies does not meet, it appears on decline reason dialog as a declining reason. Furthermore, RAO cannot proceed further to navigate to the next screen.

4) If no validation policies fail, an RAO can still decline a certificate request but no validation policy will appear as a declining reason on decline dialog. A custom reason can be added though.

5) CSR-based validation only applies on those certificate requests where either a CSR is imported by the user, or a certificate request is created using a PKCS#10, USB/Smart Card Tokens, request for Go> Sign using MSCAPI. 

6) An optional message can be added while approving a certificate request, which later also shows under email notification body against certificate approval email. For auto approval, this option does not appear whereas in case of dual control a message is sent to the user once the second reviewer approves a certificate request.


Approve / Decline a Certificate Request (With Dual Control)


  1. Expand Requests > Certificate Requests from the left menu.
  2. Then click from the grid of a particular certificate to view it. 



Scroll to the Vetting Form and you can choose to Approve or Decline a vetting form. 



Click Approve, the following screen will appear where you need to tick the check-box I have reviewed and verified the following details, then add a Message and click OK. The certificate request will be approved and appear in the list. 



Expand Dual Control > Requests > View Request (of the approved certificate). Its status will appear as Reviewed. 



The request will appear on the screen, where you will scroll through four steps (SDNs, Certificate Validity, Vetting Form and Message). Click on "Approve" and you will see a similar screen for approval. Once you click OK. The certificate will be generated. 



The certificate will be listed under the Certificates listing. 


Delete a Certificate Request 


Permanent Deletion 


An operator will only be able to delete a certificate request permanently, if he has enabled permanent deletion from the Policy section. 


If an operator wants to delete a certificate request from the Admin portal, follow the steps below:


  1. Expand Requests > Certificate Requests.
  2. A list of certificate requests will appear. Select the request number check box against the request to delete. Then click the button.



  1. A confirmation dialog will appear as displayed below. It will also delete certificates and activities against this request permanently, The deleted information will not be retrievable.



  1. Click Yes to confirm the permanent deletion. 


Temporary Deletion 


An operator will only be able to delete a certificate request temporarily, if he has disabled permanent deletion from the Policy section. 


If an operator wants to delete a certificate request from the Admin portal, follow the steps below:


  1. Expand Requests > Certificate Requests.
  2. A list of certificate requests will appear. Select the request number check box against the request to delete. Then click the button.



  1. A confirmation dialog will appear as displayed below. It will also delete certificate (s) against this request,



This note appears according to the configurations in the Policy section in the Admin portal.


Submit a Certificate Request based on TLS DV - None (CAA Records)


  1. Expand Requests > Certificate Requests from the left menu pane, and then click   from the grid header.



  1. Select your Enterprise Name from the drop down, then select the Certificate Type, set the Validity Period and click Create. 



Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies section. 


Enabling this checkbox will allow the operator to generate a certificate on behalf of the user. 



  1. Upload CSR and click >.



  1. The Certificate Validity screen will appear. Then click >.



  1. The Domain Ownership Verification screen will appear. The Domain Verification Status will appear Unverified. Click Verify to proceed. 



  1. If the CAA records you configured in the Enterprise Domain configurations matches the CA record you entered in the DNS entry, the domain Verification Status will appear Verified, as displayed below:



  1. The Approve Request screen will appear. Click the confirmation check box and click OK. This request will appear in the listing. 



Note: If the ‘Generate a certificate on behalf of the user’ checkbox is enabled, the system will display an additional screen titled ‘User Information’ next to the Certificate Validity screen. 


On the 'User Information' screen, you will be required to enter and select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 


After entering the details, click ‘Approve’. The system will then display a subscriber agreement configured for this user's profile. 


When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.


Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate. 


If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation.


Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.



Submit a Certificate Request based on Email Signing using CSR


Expand Requests > Certificate Requests from the left menu pane. The Certificate Requests listing screen will appear. 



Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.



Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies section. 


Enabling this checkbox will allow the operator to generate a certificate on behalf of the user. 



A Welcome Note screen will appear. Enable the ‘I allow the use of my data for processing certificate application by Enterprise Name’ checkbox and click next.


Note: The welcome note will only appear during the creation of a certificate request if the operator has added customised request notes in the enterprise that the user belongs to. For more details, navigate to Request Notes.



Once you agree to the welcome note and click Next, the upload CSR screen will appear. Here, upload or paste a CSR in the respective box.



Once the CSR is uploaded, the following screen will be displayed.



You can click the view button to see the details in the CSR. It contains all the SDNs, SANs, etc.




ADSS Web RA Server supports the following attributes in a CSR:


  • Common Name
  • First Name
  • Last Name
  • Title
  • Organisation Unit
  • Organisation Identifier
  • Email
  • Locality
  • Street Address
  • State
  • Postal Code
  • Country
  • Subject Serial Number
  • Business Category
  • DNS Name
  • IP Address
  • Email Address
  • Other Name
  • Public Key
  • Public Key Algorithm
  • Public Key Length
  • Signature
  • Signature Algorithm
  • Version
  • Key Size
  • Fingerprint (SHA-1)
  • Fingerprint (MD5)
  • SANS


ADSS Web RA Server does not supports the following attributes in a CSR:


  • Exponent
  • Certificate Extensions 
  • Key Id Hash(rfc-sha1)
  • Key Id Hash(sha1)
  • Key Id Hash(bcrypt-sha1)
  • Key Id Hash(bcrypt-sha256)


Click next to navigate to the Subject Distinguished Name (SDN) screen. After entering the required details, click Next.



The Subject Alternative Name (SAN) screen will appear. Here, enter the IP address and email address in the respective fields, then click Next.



The Certificate Validity screen will appear. The validity period will be displayed in a disabled form, click Next to proceed.



Now, the Domain Ownership Verification screen will appear. The Domain Verification Status will appear unverified. Click Verify to proceed.



If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the Domain Verification Status will appear as Verified, as displayed below.



In case of Verified status, click Generate to process a certificate. The certificate will be generated and downloaded in your computer. 



Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match with the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.


The unverified domain name will appear in red text under the ‘Details’ column.



If you attempt to generate the certificate while the Domain Verification Status is ‘Unverified,’ the system will display an error dialog prompting you to verify your domain’s CAA records before proceeding.



Note: If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

Note: If the ‘Generate a certificate on behalf of the user’ checkbox is enabled, the system will display an additional screen titled ‘User Information’ next to the Certificate Validity screen. 


On the 'User Information' screen, you will be required to enter and select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 


After entering the details, click ‘Approve’. The system will then display a subscriber agreement configured for this user's profile. 


When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.


Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate. 


If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation.


Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.



Submit a Certificate Request based on Go>Sign Desktop Profile


Expand Requests > Certificate Requests from the left menu pane. The Certificate Requests listing screen will appear. 



Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.



Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies section. 


Enabling this checkbox will allow the operator to generate a certificate on behalf of the user. 



A Welcome Note screen will appear. Enable the ‘I allow the use of my data for processing certificate application by Enterprise Name’ and click next.


Note: The welcome note will only appear during the creation of a certificate request if the operator has added customised request notes in the enterprise that the user belongs to. For more details, navigate to Request Notes.



Once you agree to the Welcome Note and click Next, the ‘Subject Distinguished Name (SDN) screen will appear. Enter the required details in the respective fields and click Next.



The Certificate Validity screen will appear. Enter the validity period and click 'Generate'.


The systen will display a 'Go Sign Token' dialog with a dropdown named 'Token'. You will be required to select the token for the certificate being generated. After selecting the token, click 'Ok'.



The system will generate the CSR and issue the certificate. The 'Certificate Generated' message will appear at the right bottom of the screen.


Note: If the ‘Generate a certificate on behalf of the user’ checkbox is enabled, the system will display an additional screen titled ‘User Information’ next to the Certificate Validity screen.



On this screen, you will be required to enter and select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 


After entering the details, click ‘Generate’. 


The systen will display a 'Go Sign Token' dialog with a dropdown named 'Token'. You will be required to select the token for the certificate being generated. After selecting the token, click 'Ok'.



The system will create an account for the user and generate the certificate.


The system will auto-generate the PIN or PUK value based on the configured policies in the Enterprises > Policies section. If there is no policy enabled, the system will auto-generate a random value for PIN or PUK. The generated values will be shared with the user via Email or SMS (depending upon the mechanism selected during the creation of certification profile). The user will also receive an email regarding the account and certificate creation and is prompted to activate their account.


Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate. If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation. Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.


Note: If 'Dual Control' for request section or 'Special Permissions' setting is enabled in the certification profile of Smartcard/Token in ADSS Web RA, the 'Go Sign Token' dialog will also display a 'None' option in the dropdown.



If you select the 'None' option from the dropdown and submit the request, the certificate request will be submitted without creating CSR. However, if you select a token from the dropdown, the system will first create a CSR and then submit the certificate request. 


Note: If the token password previously generated by the ADSS Web RA system has been changed through the 'SafeNet Authentication Client', the system will display the 'Go Sign Update PIN' dialog when you attempt to generate a new certificate request from the same token.


You will be required to enter the updated token PIN to proceed.



Second Factor Authentication 


If second factor authentication is enabled on certificate requests, the configured authentication mechanism will function accordingly. When a user clicks on the Generate button, the authentication window will appear, and once it accepts the selected method, it will generate a certificate. 


The authentication mechanism can be one of the following:


  • SMS OTP Authentication 
  • Email OTP Authentication 
  • Email & SMS Authentication
  • SAML Authentication 
  • Active Directory Authentication 
  • Azure Active Directory Authentication
  • OIDC Authentication


Resubmit a Declined Request 


The operator can resubmit a certificate request that has been declined. This allows them to modify the required details and submit the request again for approval.


The option to resubmit the declined certificate request will only appear if the policy for this option has been enabled from the Policies.


Expand Requests > Certificate Requests to access the requests listing section.


To do that, click the button next to the certificate request that has been declined.



The system will display a ‘Resubmit’ option in the menu. Clicking the Resubmit option will open the request in create screen mode. 


From that screen, the operator can modify the required details and click ‘Submit’ to send the request for approval again.


View Token Information


The operator can view the token information of a certificate from the Certificate Requests listing screen.


To do that, click the button next to the certificate for which a token has been generated. The system will display the ‘Token Information’ option in the menu.



Click ‘Token Information’, and the system will open a dialog displaying the complete token details for that certificate.



The system also provides an option in the Token Information dialog to resend the values of PIN/PUK to the user. 


If the operator clicks on the "Resend PIN/PUK' button, the values will be shared with the user via Email or SMS or on both platforms. The mechanism to receive the PIN/PUK values is selected during the creation of certification profile. View Certification Profiles section for more details about mechanisms.