This section explains how to create certificate requests for S/MIME Certificate type in the Web RA application.



Following are a few things to remember with respect to SDNs, SANs and RDNs:


  • When a user creates a new certificate request, the SDNs and SANs will be rendered as configured in the certification profile and its values will be auto-filled from the certificate details. 


  • A user will not be able to change the values of the RDNs if an operator has configured them in the certificate details.


  • An operator will see the rendered values in a disabled form. 


  • If there is an RDN that is added in certification profile but has not been configured in the user's certificate details, it will be shown as editable in the request form and the user can update its value.


  • If no RDN is configured in the user certificate details then the request will be generated.


  • In case of an error, the user will not be allowed to move to the next step. 


Second Factor Authentication 


If second-factor authentication is enabled for certificate requests, the configured authentication mechanism operates accordingly. When the user clicks Generate, an authentication window appears. After the selected method is successfully verified, the certificate is generated.


The authentication mechanism can be one of the following:


  • SMS OTP Authentication 
  • Email OTP Authentication 
  • Email & SMS Authentication
  • SAML Authentication 
  • Active Directory Authentication 
  • Azure Active Directory Authentication
  • OIDC Authentication 


Request Notes


If an operator has added a customized Request Note to certificate requests for a specific enterprise, it will appear in all types of certificates requests -- issued, rekey, revoked, renewed and reissued. The Request Notes appear only on the screens against which the operator has customised them. 


An operator can configure Request Notes from the Enterprise Request Notes section in the Admin portal.


The following steps describe how to create a certificate request for email signing using CSR.


Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen. 



Click the + button to create a new certificate request. The system will display the create request screen.


On this screen, select the ‘Certificate Type’ from the dropdown, and click ‘Create’.



A "Welcome Note" screen will appear. Enable the ‘I allow the use of my data for processing certificate application by Enterprise Name’ and click next.


Note: The welcome note will only appear during the creation of a certificate request if the operator has added customised request notes in the enterprise that the user belongs to. For more details, navigate to Request Notes.


Once you agree to the welcome note and click Next, the upload CSR screen will appear. Here, upload or paste a CSR in the respective box.



Once the CSR is uploaded, the following screen will be displayed.



Click next to navigate to the 'Subject Distinguished Name (SDN)' screen. After entering the required details, click Next.



The Subject Alternative Name (SAN) screen will appear. Here, enter the IP address and email address in the respective fields, then click Next.



The 'Certificate Validity' screen will appear. The validity period will be displayed in a disabled form, click Next to proceed.



Now, the 'Domain Ownership Verification' screen will appear. The Domain Verification Status will appear unverified. Click Verify to proceed.



If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the Domain Verification Status will appear as Verified, as displayed below.



In case of Verified status, click Generate to process a certificate. The Certificate Generated confirmation message will appear, as displayed below:



Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.


The unverified domain name will appear in red text under the ‘Details’ column.



If you attempt to generate the certificate while the Domain Verification Status is ‘Unverified,’ the system will display an error dialog prompting you to verify your domain CAA records before proceeding.



Note: If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.


Following are the steps to create a certificate request for email signing.


Expand Certificate Center > Certificate Requests to navigate to the Certificate Requests listing screen. 



Click the + button to create a new certificate request. The system will display the create request screen.


On this screen, select the ‘Certificate Type’ from the dropdown, and click ‘Create’.



A Welcome Note screen will appear. Enable the ‘I allow the use of my data for processing certificate application by Enterprise Name’ and click next.


Note: The welcome note will only appear during the creation of a certificate request if the operator has added customised request notes in the enterprise that the user belongs to. For more details, navigate to Request Notes.



Once you agree to the Welcome Note and click Next, the ‘Subject Distinguished Name (SDN) screen will appear. Enter the required details in the respective fields and click Next.



The ‘Subject Alternative Screen (SAN) will now appear. Here, enter the IP address and email address in the respective fields, then click Next.



The 'Certificate Validity' screen will appear. The validity period will be displayed in a disabled form. Click the next '>' button to proceed.



Now, the 'Domain Ownership Verification' screen will appear. The Domain Verification Status will appear 'Unverified'. Click Verify to proceed.



If the CAA records configured in the Enterprise Domain configurations match the domain of the entered email, the 'Domain Verification Status' will appear as 'Verified', as displayed below.



In case of Verified status, click Generate to process a certificate. The Certificate Generated confirmation message will appear, as displayed below:



Meanwhile, if the CAA records configured in the Enterprise Domain configurations do not match with the domain of any entered email, the Domain Verification Status will appear as ‘Unverified’.


The unverified domain name will appear in red text under the ‘Details’ column.



If you attempt to generate the certificate while the Domain Verification Status is ‘Unverified,’ the system will display an error dialog prompting you to verify your domain’s CAA records before proceeding.



Note: If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.