WebRA User Guide

This section explains how to create CSR-based certificate requests in the Web RA application.

• $REQUEST / $PKCS10 / SDN / SAN certificate type using CSR with vetting
• TLS using CSR with CV as None (CAA Records)
• S/MIME Certificate Type Using CSR

Following are a few things to remember with respect to SDNs, SANs and RDNs:

• When a user creates a new certificate request, the SDNs and SANs will be rendered as configured in the certification profile and its values will be auto-filled from the certificate details. 

• A user will not be able to change the values of the RDNs if an operator has configured them in the certificate details.

• An operator will see the rendered values in a disabled form. 

• If there is an RDN that is added in certification profile but has not been configured in the user's certificate details, it will be shown as editable in the request form and the user can update its value.

• If no RDN is configured in the user certificate details then the request will be generated.

• In case of an error, the user will not be allowed to move to the next step. 

Second Factor Authentication 

If second-factor authentication is enabled for certificate requests, the configured authentication mechanism operates accordingly. When the user clicks Generate, an authentication window appears. After the selected method is successfully verified, the certificate is generated.

The authentication mechanism can be one of the following:

• SMS OTP Authentication 
• Email OTP Authentication 
• Email & SMS Authentication
• SAML Authentication 
• Active Directory Authentication 
• Azure Active Directory Authentication
• OIDC Authentication 

Request Notes

If an operator has added a customized Request Note to certificate requests for a specific enterprise, it will appear in all types of certificates requests -- issued, rekey, revoked, renewed and reissued. The Request Notes appear only on the screens against which the operator has customised them. 

An operator can configure Request Notes from the Enterprise Request Notes section in the Admin portal.

The following steps describe how to create a request for “$REQUEST / $PKCS10 / SDN / SAN” certificate type using CSR with vetting:

In the web portal, navigate to Certificate Center > Certificate Requests from the left menu tree.

Click on the ‘+’ plus button in the listing header to create a new certificate request. The system will display the ‘Create Request’ screen. 

On this screen, select the ‘Certificate Type’ and click ‘Create’. 

The system will display the ‘Welcome Note’ screen. 

Enable the checkbox with the text ‘I allow the use of my data for processing certificate application by (Enterprise Name)’ and click the ‘>’ next button to continue. 

Note: The Welcome Note screen will only appear if the operator has enabled customised Request Notes in the ‘Notification’ section of the Enterprise the user belongs to.

After you click ‘Next’, the system will display the ‘Certificate Signing Request (CSR)’ screen. Here, you will be required to either upload a CSR or paste the file in the given box. 

After uploading the CSR, the following screen will appear. 

You can click on the eye icon to view the details of the CSR. The details will appear in a dialog as displayed below:

You can scroll down the dialog to view the complete details inside the CSR.

Click ‘Next’ to navigate to the ‘Subject Distinguished Name (SDNs)’ screen. The SDN fields will be auto-filled according to details filled in the uploaded CSR.

After reviewing the information, click ‘Next’. The ‘Subject Alternative Name (SANs)’ screen will appear.

It contains the following fields:

• DNS Name
• IP Address
• Email Address 

In the ‘Other Name’ section, the following fields will appear:

• OID 
• Value 
• Encoding

Click ‘Next’ to navigate to the ‘Certificate Validity’ screen.

The validity period will appear in the disabled form. Click 'Generate' to create the certificate.

After clicking ‘Generate’, the system will display a subscriber agreement. 

Note: The Subscriber Agreement dialog will only appear if the settings have been configured with this user profile. 

Click ‘I Agree’ to proceed. 

The system will generate the certificate and download it in your computer. You can find the certificate in the 'Downloads' folder on your computer. The certificate request will also be displayed in the 'Certificate Requests' listing.

If you close the 'Certificate Generated' window, the following screen will appear. 

On this screen, you will have the option to download, provision the certificate, or revoke the certificate using the respective buttons. You can also click the 'More Actions' button to perform additional actions (such as rekeying the certificate) if required.  

When you click on Provision, the Provision dialog will appear on the screen.

Choose the required option from the 'Provision' dropdown and click the Provision button. The certificate will then be provisioned.

When you click the 'Download' button, the 'Download Certificate' dialog appears. From this dialog, you can choose to download either the certificate only or the certificate PFX.

If you click on the 'Download Certificate PFX' radio button, the dialog will display Password and Confirm Password fields. Type in the required password and click 'OK'.

Note: If ‘Enable one-time PFX download” option is enabled in the Certification Profile, the PFX can only be downloaded once. If the option is disabled, the PFX can be downloaded multiple times.

When you click the 'Revoke Certificate' button, the 'Certificate Action' screen appears. On this screen, you must select a reason for revoking the certificate from the 'Certificate Revocation Reason' dropdown and, if required, a message in the optional message box. 

Before revoking a certificate, you must select the 'Are you sure you want to revoke this certificate' checkbox. Then, click 'Revoke' to proceed with the revocation. 

The following steps describe how to create a certificate request for “TLS using CSR with CV as None (CAA Records)” certificate type.

In the web portal, expand the ‘Certificate Center’ tab from the left menu pane and click on the ‘Certificate Requests’ option. 

Click on the ‘+’ plus button in the listing header to create a new certificate request. The system will display the ‘Create Request’ screen. 

On this screen, select the ‘Certificate Type’ from the given dropdown field and click ‘Create’. 

The system will display the ‘Welcome Note’ screen.

Enable the checkbox with the text ‘I allow the use of my data for processing certificate application by (Enterprise Name)’ and click the ‘>’ next button to continue. 

Note: The Welcome Note screen will only appear if the operator has enabled customised Request Notes in the ‘Notification’ section of the Enterprise the user belongs to.

After you click ‘Next’, the system will display the ‘Certificate Signing Request (CSR)’ screen. Here, you will be required to either upload a CSR or paste the file in the given box. 

After uploading the CSR, the following screen will appear. 

Click the next ‘>’ button to navigate to the Subject Distinguished Name (SDN)’ screen.

The SDN fields will be auto-filled according to details filled in the uploaded CSR. After reviewing the information click the next button to navigate to the ‘Subject Alternative Name (SAN)’ screen.

Select the domain names from the ‘Domain Names (DNS) drop down. Enter the IP address, email address in the respective fields and enter the details in the ‘Other Name’ section. Then click ‘>’.

The ‘Certificate Validity’ screen will appear. The validity period will be displayed in a disabled form. 

Click the next button to navigate to the ‘Domain Ownership Verification’ screen.

The ‘Domain Verification Status’ will appear unverified. Click the ‘Verify’ button.

If the CAA records you configured in the Enterprise Domain configurations matches the CA record you entered in the DNS entry, the Domain Verification Status will appear Verified, as displayed below:

If the CAA records you configured in the Enterprise Domain configurations does not match the CA record you entered in the DNS entry, the domain Verification Status will appear Unverified, as displayed below:

In case of Verified, click Generate to process a certificate. The Certificate Generated confirmation message will appear, as displayed below:

The following steps describe how to create a certificate request for email signing using CSR.

Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen. 

Click the + button to create a new certificate request. The system will display the create request screen.

On this screen, select the ‘Certificate Type’ from the dropdown, and click ‘Create’.

A "Welcome Note" screen will appear. Enable the ‘I allow the use of my data for processing certificate application by Enterprise Name’ and click next.

Note: The welcome note will only appear during the creation of a certificate request if the operator has added customised request notes in the enterprise that the user belongs to. For more details, navigate to Request Notes.

Once you agree to the welcome note and click Next, the upload CSR screen will appear. Here, upload or paste a CSR in the respective box.

Once the CSR is uploaded, the following screen will be displayed.

Click next to navigate to the 'Subject Distinguished Name (SDN)' screen. After entering the required details, click Next.

The Subject Alternative Name (SAN) screen will appear. Here, enter the IP address and email address in the respective fields, then click Next.

The 'Certificate Validity' screen will appear. The validity period will be displayed in a disabled form, click Next to proceed.

Now, the 'Domain Ownership Verification' screen will appear. The Domain Verification Status will appear unverified. Click Verify to proceed.

If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the Domain Verification Status will appear as Verified, as displayed below.

In case of Verified status, click Generate to process a certificate. The Certificate Generated confirmation message will appear, as displayed below:

Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.

The unverified domain name will appear in red text under the ‘Details’ column.

If you attempt to generate the certificate while the Domain Verification Status is ‘Unverified,’ the system will display an error dialog prompting you to verify your domain CAA records before proceeding.

Note: If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.