Submit a Certificate Request based on Email Signing using CSR


Expand Requests > Certificate Requests from the left menu pane. The Certificate Requests listing screen will appear. 



Click the + button in the grid header to access the Create Request screen. Select the Enterprise name from the dropdown, choose the Certificate Type, and click 'Create'.



Note: A checkbox titled ‘Generate a certificate on behalf of the user’ will appear on this screen if the policy for this option is enabled in the Enterprise > Policies section. 


Enabling this checkbox will allow the operator to generate a certificate on behalf of the user. 



A 'Welcome Note' screen will appear. Enable the ‘I allow the use of my data for processing certificate application by Enterprise Name’ checkbox and click next.


Note: The welcome note will only appear during the creation of a certificate request if the operator has added customised request notes in the enterprise that the user belongs to. For more details, navigate to Request Notes.



Once you agree to the welcome note and click Next, the upload CSR screen will appear. Here, upload or paste a CSR in the respective box.



Once the CSR is uploaded, the following screen will be displayed.



You can click the view button to see the details in the CSR. It contains all the SDNs, SANs, etc.




ADSS Web RA Server supports the following attributes in a CSR:


  • Common Name
  • First Name
  • Last Name
  • Title
  • Organisation Unit
  • Organisation Identifier
  • Email
  • Locality
  • Street Address
  • State
  • Postal Code
  • Country
  • Subject Serial Number
  • Business Category
  • DNS Name
  • IP Address
  • Email Address
  • Other Name
  • Public Key
  • Public Key Algorithm
  • Public Key Length
  • Signature
  • Signature Algorithm
  • Version
  • Key Size
  • Fingerprint (SHA-1)
  • Fingerprint (MD5)
  • SANS


ADSS Web RA Server does not supports the following attributes in a CSR:


  • Exponent
  • Certificate Extensions 
  • Key Id Hash(rfc-sha1)
  • Key Id Hash(sha1)
  • Key Id Hash(bcrypt-sha1)
  • Key Id Hash(bcrypt-sha256)


Click next to navigate to the Subject Distinguished Name (SDN) screen. After entering the required details, click Next.



The Subject Alternative Name (SAN) screen will appear. Here, enter the IP address and email address in the respective fields, then click Next.



The Certificate Validity screen will appear. The validity period will be displayed in a disabled form, click Next to proceed.



Now, the 'Domain Ownership Verification' screen will appear. The Domain Verification Status will appear 'Unverified'. Click 'Verify' to proceed.



If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the Domain Verification Status will appear as Verified, as displayed below.



In case of Verified status, click 'Generate' to process a certificate. The certificate will be generated and downloaded in your computer. 



Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match with the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.


The unverified domain name will appear in red text under the ‘Details’ column.



If you attempt to generate the certificate while the Domain Verification Status is ‘Unverified,’ the system will display an error dialog prompting you to verify your domain’s CAA records before proceeding.



Note: If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

Note: If the ‘Generate a certificate on behalf of the user’ checkbox is enabled, the system will display an additional screen titled ‘User Information’ next to the 'Domain Ownership Verification' screen.


 


On the 'User Information' screen, you will be required to enter/select the Name, Email, Citizen ID, Mobile Number, and Role of the user for whom the certificate is being generated. 


After entering the details, click ‘Approve’. The system will then display a subscriber agreement configured for this user's profile. 


When you agree to the subscriber agreement, the system will create an account for the user and generate the certificate. The user will receive an email regarding the account and certificate creation and is prompted to activate their account.


Note: If the certificate is being created for a user who does not exist in the system, a new account will be created for the user along with the certificate. 


If the user already has a registered account in the WebRA system, only the certificate will be created. The user will be notified via email about the certificate generation.


Meanwhile, if the user exists in the system but is not part of the enterprise where the certificate is being created, the system will send an invitation for the user to join that enterprise and will generate the certificate as well.