Documentation Suite v25.1.1

Submit Search

POST CSR Generation Generate

The POST /CSRGeneration/Generate method is used to generate and configure a CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.. This method returns HTTP 200 OK on a success with a message body containing the text of the CSR file created.

This method generates a private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. and stores it in the Keyfactor Command database. When you use the CSR resulting from this method to enroll for a certificate through Keyfactor Command (see POST Enrollment CSR), the resulting certificate is married together with the stored private key and may then be download with private key (see POST Certificates Recover).

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/certificates/enrollment/csr_generation/

Note: This endpoint

An endpoint is a URL that enables the API to gain access to resources on a server. no longer includes the CSRFilePath return value in the response from the API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. call. Code separate from the API should be used to handle receipt of the CSR and placement on the file system.

Note: The supported key algorithms for enrollment are determined based on:

System-wide enrollment pattern policy
Individual enrollment pattern policy
Supported algorithms set on the template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. at the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. level

When configuring key information policies at the enrollment pattern level, only key sizes valid for the selected algorithm will be available. These are governed by the system-wide policy, enrollment pattern policy, and supported key sizes. For PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment and CSR generation, you must select a valid KeyType, and KeyLength or Curve as applicable, for the request.

Table 437: POST CSR Generation Generate Input Parameters

Name In Description

AlternativeCurve

Body

A string indicating the elliptic curve for the requested alternate key.

This field is in the endpoint for future support. CSR generation with ECC as a secondary key is not supported at this time.

AlternativeKeyLength Body An integer indicating the desired alternative key size of the certificate to be requested with the CSR.

AlternativeKeyType

Body

A string indicating the desired alternative key encryption algorithm of the certificate to be requested with the CSR. Supported key algorithms are:

ML-DSA-44

OID: 2.16.840.1.101.3.4.3.17
ML-DSA-65

OID: 2.16.840.1.101.3.4.3.18
ML-DSA-87

OID: 2.16.840.1.101.3.4.3.19

A CSR with a secondary key using a Post-Quantum Cryptography (PQC) key algorithm can be used to enroll for a hybrid certificate (a certificate with two key pairs).

Curve

Body

A string indicating the elliptic curve for the requested primary key. ECC curves must be specified using the OID for the ECC algorithm. Keyfactor recommends using one of the most commonly used ECC curves when possible, if a specific alternate curve is not required. Common curves include:

P-256/ prime256v1/ secp256r1 - 1.2.840.10045.3.1.7
P-384/secp384r1 - 1.3.132.0.34
P-521/secp521r1 - 1.3.132.0.35

Show named curves and associated OIDs.

Name	OID
B-571	1.3.132.0.39
B-409	1.3.132.0.37
B-283	1.3.132.0.17
B-233	1.3.132.0.27
B-163	1.3.132.0.15
brainpoolP160r1	1.3.36.3.3.2.8.1.1.1
brainpoolP160t1	1.3.36.3.3.2.8.1.1.2
brainpoolP192r1	1.3.36.3.3.2.8.1.1.3
brainpoolP192t1	1.3.36.3.3.2.8.1.1.4
brainpoolP224r1	1.3.36.3.3.2.8.1.1.5
brainpoolP224t1	1.3.36.3.3.2.8.1.1.6
brainpoolP256r1	1.3.36.3.3.2.8.1.1.7
brainpoolP256t1	1.3.36.3.3.2.8.1.1.8
brainpoolP320r1	1.3.36.3.3.2.8.1.1.9
brainpoolP320t1	1.3.36.3.3.2.8.1.1.10
brainpoolP384r1	1.3.36.3.3.2.8.1.1.11
brainpoolP384t1	1.3.36.3.3.2.8.1.1.12
brainpoolP512r1	1.3.36.3.3.2.8.1.1.13
brainpoolP512t1	1.3.36.3.3.2.8.1.1.14
c2pnb163v1	1.2.840.10045.3.0.1
c2pnb163v2	1.2.840.10045.3.0.2
c2pnb163v3	1.2.840.10045.3.0.3
c2pnb176w1	1.2.840.10045.3.0.4
c2pnb208w1	1.2.840.10045.3.0.10
c2pnb272w1	1.2.840.10045.3.0.16
c2pnb304w1	1.2.840.10045.3.0.17
c2pnb368w1	1.2.840.10045.3.0.19
c2tnb191v1	1.2.840.10045.3.0.5
c2tnb191v2	1.2.840.10045.3.0.6
c2tnb191v3	1.2.840.10045.3.0.7
c2tnb239v1	1.2.840.10045.3.0.11
c2tnb239v2	1.2.840.10045.3.0.12
c2tnb239v3	1.2.840.10045.3.0.13
c2tnb359v1	1.2.840.10045.3.0.18
c2tnb431r1	1.2.840.10045.3.0.20
FRP256v1	1.2.250.1.223.101.256.1
K-571	1.3.132.0.38
K-409	1.3.132.0.36
K-283	1.3.132.0.16
K-233	1.3.132.0.26
K-163	1.3.132.0.1
P-521	1.3.132.0.35
P-384	1.3.132.0.34
P-256	1.2.840.10045.3.1.7
P-224	1.3.132.0.33
P-192	1.2.840.10045.3.1.1
prime192v1	1.2.840.10045.3.1.1
prime192v2	1.2.840.10045.3.1.2
prime192v3	1.2.840.10045.3.1.3
prime239v1	1.2.840.10045.3.1.4
prime239v2	1.2.840.10045.3.1.5
prime239v3	1.2.840.10045.3.1.6
prime256v1	1.2.840.10045.3.1.7
secp112r1	1.3.132.0.6
secp112r2	1.3.132.0.7
secp128r1	1.3.132.0.28
secp128r2	1.3.132.0.29
secp160k1	1.3.132.0.9
secp160r1	1.3.132.0.8
secp160r2	1.3.132.0.30
secp192k1	1.3.132.0.31
secp192r1	1.2.840.10045.3.1.1
secp224k1	1.3.132.0.32
secp224r1	1.3.132.0.33
secp256k1	1.3.132.0.10
secp256r1	1.2.840.10045.3.1.7
secp384r1	1.3.132.0.34
secp521r1	1.3.132.0.35
sect113r1	1.3.132.0.4
sect113r2	1.3.132.0.5
sect131r1	1.3.132.0.22
sect131r2	1.3.132.0.23
sect163k1	1.3.132.0.1
sect163r1	1.3.132.0.2
sect163r2	1.3.132.0.15
sect193r1	1.3.132.0.24
sect193r2	1.3.132.0.25
sect233k1	1.3.132.0.26
sect233r1	1.3.132.0.27
sect239k1	1.3.132.0.3
sect283k1	1.3.132.0.16
sect283r1	1.3.132.0.17
sect571r1	1.3.132.0.39
sm2p256v1	1.2.156.10197.1.301
wapip192v1	1.2.156.10197.1.301.101
ML-DSA-44	2.16.840.1.101.3.4.3.17
ML-DSA-65	2.16.840.1.101.3.4.3.18
ML-DSA-87	2.16.840.1.101.3.4.3.19

If this value is not supplied and the KeyType is ECC, the value will be derived from the KeyLength if the length provided matches one of the default curves (P-256, P-384, or P-521).

Key Length

Body

Required^*. An integer indicating the desired key size of the certificate to be requested with the CSR. Supported key sizes are:

255
256
384
448
521
2048
3072
4096
8192

This value is required only if KeyType = RSA.

KeyType

Body

Required. A string indicating the desired primary key encryption algorithm of the certificate to be requested with the CSR. Supported key algorithms are:

RSA
ECC
Ed448
Ed25519

SANs

Body

An object that contains the elements for Keyfactor Command to use when generating the subject alternative name (SAN) for the certificate requested by the CSR, each of which is supplied as an array of strings. Show SAN key values.

Standard Value	Deprecated Value	Description
directory		Directory Name
dn		Distinguished Name
dns	dnsname, dns name	DNS Name
ediparty		EDI (Electronic Data Interchange) Party Name
email	mail	Email Address
guid		Globally Unique Identifier
ip	ip4, ipaddress	IP v4 Address Note: IP v4 and IP v6 addresses are handled separately in the Keyfactor Command Management Portal to allow for the application of separate regular expressions on enrollment, but they are stored using the standard ip value.
ip	ip6	IP v6 Address
oid		Object Identifier
other		Other Name
registered id		Registered ID (an OID)
upn		User Principal Name
uri		Uniform Resource Identifier
url		Uniform Resource Locator
x400		X400 Address
	rfc822	RFC 822 Name
	ms_ ntprincipal name	MS_ NTPrincipal Name (a string)
	ms_ ntds replication	MS_ NTDS Replication (a GUID)

For example:

Copy

"SANs": {
   "dns": [
      "dnssan1.keyexample.com",
      "dnssan2.keyexample.com",
      "dnssan3.keyexample.com"
   ],
   "ip": [
      "192.168.2.73"
   ]
}

Subject

Body

Required. A string containing the subject name of the certificate to be requested with the CSR using X.500 format for the full distinguished name (DN). For example:

Copy

"Subject": "CN=websrvr14.keyexample.com, OU=IT, O=\"Key Example, Inc.\", L=Independence, ST=OH, C=US"

Show subject name fields.

Name	Abbreviation	Description
Common Name	CN	Required^*. The desired common name of the certificate to be requested with the CSR. This field is required if the Common Name Regular Expression application setting is set to the default value of .+. This is the default configuration. See Application Settings: Enrollment Tab for more information.
Organization	O	The desired organization of the certificate to be requested with the CSR.
Organizational Unit	OU	The desired organizational unit of the certificate to be requested with the CSR.
Locality	L	The desired city of the certificate to be requested with the CSR.
State	ST	The desired state of the certificate to be requested with the CSR.
Country	C	The desired country (two characters) of the certificate to be requested with the CSR.
Email	E	The desired email address of the certificate to be requested with the CSR.

Template

Body

A string indicating the template to use when generating the CSR. This field is optional.

If both the Template and EnrollmentPatternId are provided, the settings from the enrollment pattern take precedence.

Important: The template must be configured with at least one enrollment pattern in order to be used (see POST Enrollment Patterns).

Note: This parameter is considered deprecated and may be removed in a future release.

Important: The template will not be included in the CSR. It is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports regular expressions for both subject parts and SANs at the template level. The regular expressions set at the template level take precedence over the system-wide regular expressions.

If you choose to select a template during CSR generation, you must choose the same template during CSR enrollment, because the CSR will contain elements from the template that may conflict with other template configurations.

Enrollment Pattern Id

Body

An integer indicating the enrollment pattern to use when generating the CSR. The enrollment pattern must have been configured in Keyfactor Command to support CSR generation. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used, if applicable. This field is optional.

If both the Template and EnrollmentPatternId are provided, the settings from the enrollment pattern take precedence.

Important: The enrollment pattern will not be included in the CSR. It is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports regular expressions for both subject parts and SANs at the enrollment pattern level. The regular expressions set at the enrollment pattern level take precedence over the system-wide regular expressions.

If you choose to select an enrollment pattern during CSR generation, you must choose the same enrollment pattern during CSR enrollment, because the CSR will contain elements from the enrollment pattern that may conflict with other enrollment pattern configurations.

Table 438: POST CSR Generation Generate Response Data

Name	Description
CSR	The text of the CSR in PEM format.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: