POST CSR Generation Generate

The POST /CSRGeneration/Generate method is used to generate and configure a CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.. This method returns HTTP 200 OK on a success with a message body containing the text of the CSR file created.

This method generates a private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. and stores it in the Keyfactor Command database. When you use the CSR resulting from this method to enroll for a certificate through Keyfactor Command (see POST Enrollment CSR), the resulting certificate is married together with the stored private key and may then be download with private key (see POST Certificates Recover).

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

/certificates/enrollment/csr_generation/

Note:  This endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. no longer includes the CSRFilePath return value in the response from the APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. call. Code separate from the API should be used to handle receipt of the CSR and placement on the file system.
Note:  The supported key algorithms for a certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. are determined based on system-wide template policy, template-level template policy, and the template's supported algorithm(s).

When configuring template-level policies for key information, only key sizes that are valid for the algorithm will be available, according to the system-wide policy, the template-level policy, and the supported key sizes. For PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment and CSR generation, you must select a valid KeyType, and KeyLength or Curve as applicable, for the request.

Table 404: POST CSR Generation Generate Input Parameters

Name In Description
AlternativeCurve Body

A string indicating the elliptic curve for the requested alternate key.

This field is in the endpoint for future support. CSR generation with ECC as a secondary key is not supported at this time.
AlternativeKeyLength Body An integer indicating the desired alternative key size of the certificate to be requested with the CSR.
AlternativeKeyType Body

A string indicating the desired alternative key encryption algorithm of the certificate to be requested with the CSR. Supported key algorithms are:

  • ML-DSA-44

    (Dilithium-2)

  • ML-DSA-65

    (Dilithium-3)

  • ML-DSA-87

    (Dilithium-5)

A CSR with a secondary key using a Post-Quantum Cryptography (PQC) Dilithium key algorithm can be used to enroll for a hybrid certificate (a certificate with two key pairs).
Curve Body

A string indicating the elliptic curve for the requested primary key. ECC curves must be specified using the OID for the ECC algorithm. Keyfactor recommends using one of the most commonly used ECC curves when possible, if a specific alternate curve is not required. Common curves include:

  • P-256/ prime256v1/ secp256r1 - 1.2.840.10045.3.1.7

  • P-384/secp384r1 - 1.3.132.0.34

  • P-521/secp521r1 - 1.3.132.0.35

ClosedShow named curves and associated OIDs.

Name OID
B-571 1.3.132.0.39
B-409 1.3.132.0.37
B-283 1.3.132.0.17
B-233 1.3.132.0.27
B-163 1.3.132.0.15
brainpoolP160r1 1.3.36.3.3.2.8.1.1.1
brainpoolP160t1 1.3.36.3.3.2.8.1.1.2
brainpoolP192r1 1.3.36.3.3.2.8.1.1.3
brainpoolP192t1 1.3.36.3.3.2.8.1.1.4
brainpoolP224r1 1.3.36.3.3.2.8.1.1.5
brainpoolP224t1 1.3.36.3.3.2.8.1.1.6
brainpoolP256r1 1.3.36.3.3.2.8.1.1.7
brainpoolP256t1 1.3.36.3.3.2.8.1.1.8
brainpoolP320r1 1.3.36.3.3.2.8.1.1.9
brainpoolP320t1 1.3.36.3.3.2.8.1.1.10
brainpoolP384r1 1.3.36.3.3.2.8.1.1.11
brainpoolP384t1 1.3.36.3.3.2.8.1.1.12
brainpoolP512r1 1.3.36.3.3.2.8.1.1.13
brainpoolP512t1 1.3.36.3.3.2.8.1.1.14
c2pnb163v1 1.2.840.10045.3.0.1
c2pnb163v2 1.2.840.10045.3.0.2
c2pnb163v3 1.2.840.10045.3.0.3
c2pnb176w1 1.2.840.10045.3.0.4
c2pnb208w1 1.2.840.10045.3.0.10
c2pnb272w1 1.2.840.10045.3.0.16
c2pnb304w1 1.2.840.10045.3.0.17
c2pnb368w1 1.2.840.10045.3.0.19
c2tnb191v1 1.2.840.10045.3.0.5
c2tnb191v2 1.2.840.10045.3.0.6
c2tnb191v3 1.2.840.10045.3.0.7
c2tnb239v1 1.2.840.10045.3.0.11
c2tnb239v2 1.2.840.10045.3.0.12
c2tnb239v3 1.2.840.10045.3.0.13
c2tnb359v1 1.2.840.10045.3.0.18
c2tnb431r1 1.2.840.10045.3.0.20
FRP256v1 1.2.250.1.223.101.256.1
K-571 1.3.132.0.38
K-409 1.3.132.0.36
K-283 1.3.132.0.16
K-233 1.3.132.0.26
K-163 1.3.132.0.1
P-521 1.3.132.0.35
P-384 1.3.132.0.34
P-256 1.2.840.10045.3.1.7
P-224 1.3.132.0.33
P-192 1.2.840.10045.3.1.1
prime192v1 1.2.840.10045.3.1.1
prime192v2 1.2.840.10045.3.1.2
prime192v3 1.2.840.10045.3.1.3
prime239v1 1.2.840.10045.3.1.4
prime239v2 1.2.840.10045.3.1.5
prime239v3 1.2.840.10045.3.1.6
prime256v1 1.2.840.10045.3.1.7
secp112r1 1.3.132.0.6
secp112r2 1.3.132.0.7
secp128r1 1.3.132.0.28
secp128r2 1.3.132.0.29
secp160k1 1.3.132.0.9
secp160r1 1.3.132.0.8
secp160r2 1.3.132.0.30
secp192k1 1.3.132.0.31
secp192r1 1.2.840.10045.3.1.1
secp224k1 1.3.132.0.32
secp224r1 1.3.132.0.33
secp256k1 1.3.132.0.10
secp256r1 1.2.840.10045.3.1.7
secp384r1 1.3.132.0.34
secp521r1 1.3.132.0.35
sect113r1 1.3.132.0.4
sect113r2 1.3.132.0.5
sect131r1 1.3.132.0.22
sect131r2 1.3.132.0.23
sect163k1 1.3.132.0.1
sect163r1 1.3.132.0.2
sect163r2 1.3.132.0.15
sect193r1 1.3.132.0.24
sect193r2 1.3.132.0.25
sect233k1 1.3.132.0.26
sect233r1 1.3.132.0.27
sect239k1 1.3.132.0.3
sect283k1 1.3.132.0.16
sect283r1 1.3.132.0.17
sect571r1 1.3.132.0.39
sm2p256v1 1.2.156.10197.1.301
wapip192v1 1.2.156.10197.1.301.101

If this value is not supplied and the KeyType is ECC, the value will be derived from the KeyLength if the length provided matches one of the default curves (P-256, P-384, or P-521).
Key Length Body

Required in some cases. An integer indicating the desired key size of the certificate to be requested with the CSR. Supported key sizes are:

  • 255
  • 256
  • 384
  • 448
  • 521
  • 2048
  • 3072
  • 4096
  • 8192

This value is required only if KeyType = RSA.
KeyType Body

Required. A string indicating the desired primary key encryption algorithm of the certificate to be requested with the CSR. Supported key algorithms are:

  • RSA

  • ECC

  • Ed448

  • Ed25519
SANs Body

An object that contains the elements for Keyfactor Command to use when generating the subject alternative name (SAN) for the certificate requested by the CSR, each of which is supplied as an array of strings. ClosedShow SAN key values.

For example:

Copy 
"SANs": {
   "dns": [
      "dnssan1.keyexample.com",
      "dnssan2.keyexample.com",
      "dnssan3.keyexample.com"
   ],
   "ip": [
      "192.168.2.73"
   ]
}
Subject Body

Required. A string containing the subject name of the certificate to be requested with the CSR using X.500 format for the full distinguished name (DN). For example:

Copy 
"Subject": "CN=websrvr14.keyexample.com, OU=IT, O=\"Key Example, Inc.\", L=Independence, ST=OH, C=US"

ClosedShow subject name fields.

Template Body A string indicating the desired template to be used for the certificate to be requested with the CSR. The template must have been configured in Keyfactor Command to support CSR generation. This field is optional.
Important:  The template will not be included in the CSR. The template is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports template-level regular expressions for both subject parts and SANs. If system-wide and template-level regular expressions exists for the same field and you select a template, the template-level regular expression is applied.

If you choose to select a template during CSR generation, you will need to choose the same template during CSR Enrollment, because the CSR file will contain elements from the template which may conflict with other template configurations.

Table 405: POST CSR Generation Generate Response Data

Name Description
CSR The text of the CSR in PEM format.
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.