CSR Generation

The Certificate Signing Request A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.) generation page provides the ability to enter a subject, SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common., key size The key size or key length is the number of bits in a key used by a cryptographic algorithm., and enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). pattern information and generate a CSR based on this information. You can then use this CSR to request a certificate using the CSR enrollment function (see CSR Enrollment) or any other enrollment method requiring a CSR.

The intended use case for CSR generation in Keyfactor Command is for cases such as an offline CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. where it is desired that Keyfactor Command be able to store the private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.. See CSR Generation and Private Key Storage.

CSR Generation and Private Key Storage

To generate a CSR:

1. In the Keyfactor Command Management Portal, browse to Enrollment > CSR Generation.

2. In the Certificate Request Details section of the page:

   1. Slide the Generate Hybrid CSR toggle to enable this option, if desired. This option allows you to add a second key to the CSR. The following Post-Quantum Cryptography Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods. (PQC Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods.) key algorithms are supported:

      • ML-DSA-44 A variant of the Digital Signature Algorithm (DSA) designed for high-performance and secure digital signatures. ML-DSA-44 is optimized for specific machine learning use cases or specialized systems.

      • ML-DSA-65 Similar to ML-DSA-44, this variant provides a larger key size and is suited for environments requiring more robust security. It is often used in cases where cryptographic strength needs to be balanced with performance.

      • ML-DSA-87 An even stronger variant of ML-DSA, offering a larger key size and enhanced security features for demanding cryptographic operations. Like the others in the ML-DSA family, it is designed for specific use cases that require high-performance cryptography.

      The resulting CSR can be used to enroll for a hybrid certificate A certificate with both a standard key and a post-quantum key. (a certificate with two key pairs).

      Important:  The Generate Hybrid CSR toggle only appears if at least one Alternative Key Type has been enabled at either the system-wide or enrollment pattern level (see System-Wide: Policies Tab or Enrollment Pattern: Policies Tab). If it has been enabled for the enrollment pattern, the toggle will not appear until the enrollment pattern is selected.

   2. Select an Enrollment Pattern, if desired. The enrollment patterns are organized by configuration tenant A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. (formerly known as forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers.). If you have multiple configuration tenants and enrollment patterns with similar names, be sure to select the enrollment pattern in the correct configuration tenant. Enrollment patterns must have CSR Generation selected as an Allowed Enrollment Type on the enrollment patterns basic information tab (see Enrollment Pattern: Basic Information Tab) to appear in the dropdown.

      Important:  The enrollment pattern will not be included in the CSR. It is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports regular expressions for both subject parts and SANs at the enrollment pattern level. The regular expressions set at the enrollment pattern level take precedence over the system-wide regular expressions.

      If you choose to select an enrollment pattern during CSR generation, you must choose the same enrollment pattern during CSR enrollment, because the CSR will contain elements from the enrollment pattern that may conflict with other enrollment pattern configurations.

   3. Select the Key Algorithm, Key Size, or Curve as appropriate for the request. If you have selected an enrollment pattern, and it supports multiple options for key size, key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519)., and/or elliptic curve, the available options will be limited to those permitted by the system-wide or enrollment pattern policies. If the template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. allows only one value or if the policy restricts the options, the dropdowns will be disabled (grayed out). When enrolling with the selected pattern, the requested key size will be validated against the sizes supported by the enrollment pattern and its associated template.

      Note:  The following algorithms are supported as the primary key for enrollment:

      • RSA A widely used public-key cryptosystem, RSA is commonly used for encryption and digital signatures. It is based on the mathematical difficulty of factoring large integers.
      • ECDSA ECDSA (Elliptic Curve Digital Signature Algorithm) is used for digital signatures in public-key cryptography. It offers strong security with smaller key sizes compared to RSA, making it ideal for resource-constrained environments. (Elliptic Curve Digital Signature Algorithm)
      • Ed448 A high-security elliptic curve algorithm, Ed448 is used for digital signatures and is known for providing very strong security while maintaining high performance. It is part of the Edwards-curve Digital Signature Algorithm (EdDSA) family.
      • Ed25519 Another member of the EdDSA family, Ed25519 is designed for high security and speed. It is widely used in modern cryptography and provides robust protection with a 256-bit key size.

      • ML-DSA-44
      • ML-DSA-65
      • ML-DSA-87

      Important:  A ML-DSA primary key cannot be used for a hybrid certificate (a certificate with both a primary and alternative key).

      The availability of these algorithms depends on the following factors:

      • System-wide enrollment pattern policy
      • Individual enrollment pattern policy
      • Algorithms set on the certificate template at the CA level (either for the selected enrollment pattern, if applicable, or the default enrollment pattern)

      When configuring key information policies at the enrollment pattern level, only key sizes that are valid for the selected algorithm will be available. These sizes are determined by the system-wide policy, enrollment pattern policy, and the supported key sizes in the template configuration.

      For PFX enrollment and CSR generation, dropdown menus for Key Algorithm and Key Size will appear if the selected enrollment pattern’s template and policy settings support multiple options. If the template configuration or applied policy restricts the template to a single key algorithm or size, the dropdowns will be disabled (grayed out).

      When ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. is selected as the key algorithm, a search-select field allows the choice of an elliptic curve. Only curves that are supported by the system-wide policy, the enrollment pattern policy, and the template’s configuration will be available in this field.

   

   Figure 110: CSR Generation

3. In the Certificate Subject Information section of the page, enter appropriate subject information for your CSR.

   Note:   Some subject fields may be automatically populated by enrollment defaults configured at the system-wide or enrollment pattern level. You may override the system-populated data, if desired. Any regular expressions set at the system-wide or enrollment pattern level will be used to validate the data entered in the subject fields. Policies set at the system-wide or enrollment pattern level will affect the request. For more information, see Enrollment Pattern Operations. Subject data may also be overridden after an enrollment request is submitted either as part of a workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. (see Update Certificate Request Subject\SANs for Microsoft CAs) or using the Subject Format application setting (see Application Settings: Enrollment Tab).

4. In the Subject Alternative Names section of the page, click Add and select from the dropdown to enter one or more SANs for your CSR. Use the Remove action button to remove an existing SAN.

   Important:  If the Enforce RFC 2818 Compliance option has been enabled for the selected enrollment pattern (see Enrollment Pattern Operations) or system-wide, a DNS The Domain Name System is a service that translates names into IP addresses. name will be automatically populated with the Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). (CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).) and will be set to read only.
   Note:  If the CSR generated has multiple SANs, they will not be overridden by the enrollment pattern default settings, nor the RFC 2818 compliance settings.

   The SAN field in this interface supports: DNS name, IP version 4 address, IP version 6 address, User Prinicpal Name, Email. Alternate SANs may be submitted in requests using the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..

   

   Figure 111: CSR Generation SAN Options

5. At the bottom of the page, click the Generate button. A success message will appear if the process completes successfully. However, if a regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. has been defined system-wide or at the enrollment pattern level (see Enrollment Pattern: Enrollment RegExes Tab) for any fields on the CSR and the validation fails, an error notice will be displayed at the top of the CSR generation page. The error message will reflect the configuration defined at the enrollment pattern level, as it takes precedence over system-wide settings.

   

   Figure 112: CSR Generation Success

6. Save or open your CSR once it has been successfully generated.