CSR Generation

The Certificate Signing RequestClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.) generation page provides the ability to enter a subject, SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common., key sizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm., and enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). pattern information and generate a CSR based on this information. You can then use this CSR to request a certificate using the CSR enrollment function (see CSR Enrollment) or any other enrollment method requiring a CSR.

The intended use case for CSR generation in Keyfactor Command is for cases such as an offline CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. where it is desired that Keyfactor Command be able to store the private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.. See CSR Generation and Private Key Storage.

Note:  If you attempt to complete a CSR enrollment using a CSR generated within Keyfactor Command, you will receive a Confirm Operation message requiring you to click OK to confirm and enroll unless the Enable warning for CSR generated in Command application setting has been disabled.
  • When renewing, if the Enable warning for CSR renewal with a Subject/SAN mismatch application setting is enabled, the CSR enrollment page will throw a warning on submission if the SANs/Subject are different from the SANs/Subject of the certificate that is being renewed.

Click OK on this popup to ignore the warning (see Application Settings: Enrollment Tab).

Figure 109: CSR Warning Message

CSR Generation and Private Key Storage

When you use the CSR generation option, the encrypted private key of the request is stored in the Keyfactor Command database.

When you generate a certificate using that CSR, it will be married together with the private key when the certificate synchronizes into the Keyfactor Command database.

The certificate enrollment with the CSR does not need to be completed in Keyfactor Command (using CSR Enrollment) in order for the private key to be married with the certificate. Certificates enrolled outside of Keyfactor Command using CSRs generated within Keyfactor Command and synchronized via the CA synchronization process (see Certificate Authorities), or manually imported using the Add Certificate option (see Add Certificate) will also be married with their private keys.

To generate a CSR:

  1. In the Keyfactor Command Management Portal, browse to Enrollment > CSR Generation.
  2. In the Certificate Request Details section of the page:

    1. Slide the Generate Hybrid CSR toggle to enable this option, if desired. This option allows you to add a second key to the CSR. The following Post-Quantum CryptographyClosed Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods. (PQCClosed Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods.) key algorithms are supported:

      The resulting CSR can be used to enroll for a hybrid certificateClosed A certificate with both a standard key and a post-quantum key. (a certificate with two key pairs).

      Important:  The Generate Hybrid CSR toggle only appears if at least one Alternative Key Type has been enabled at either the system-wide or enrollment pattern level (see System-Wide: Policies Tab or Enrollment Pattern: Policies Tab). If it has been enabled for the enrollment pattern, the toggle will not appear until the enrollment pattern is selected.
    2. Select an Enrollment Pattern, if desired. The enrollment patterns are organized by configuration tenantClosed A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. (formerly known as forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers.). If you have multiple configuration tenants and enrollment patterns with similar names, be sure to select the enrollment pattern in the correct configuration tenant. Enrollment patterns must have CSR Generation selected as an Allowed Enrollment Type on the enrollment patterns basic information tab (see Enrollment Pattern: Basic Information Tab) to appear in the dropdown.

      Important:  The enrollment pattern will not be included in the CSR. It is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports regular expressions for both subject parts and SANs at the enrollment pattern level. The regular expressions set at the enrollment pattern level take precedence over the system-wide regular expressions.

      If you choose to select an enrollment pattern during CSR generation, you must choose the same enrollment pattern during CSR enrollment, because the CSR will contain elements from the enrollment pattern that may conflict with other enrollment pattern configurations.

    3. Select the Key Algorithm, Key Size, or Curve as appropriate for the request. If you have selected an enrollment pattern, and it supports multiple options for key size, key typeClosed The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519)., and/or elliptic curve, the available options will be limited to those permitted by the system-wide or enrollment pattern policies. If the templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. allows only one value or if the policy restricts the options, the dropdowns will be disabled (grayed out). When enrolling with the selected pattern, the requested key size will be validated against the sizes supported by the enrollment pattern and its associated template.

      Note:  The following algorithms are supported as the primary key for enrollment:
      Important:  A ML-DSA primary key cannot be used for a hybrid certificate (a certificate with both a primary and alternative key).

      The availability of these algorithms depends on the following factors:

      • System-wide enrollment pattern policy
      • Individual enrollment pattern policy
      • Algorithms set on the certificate template at the CA level (either for the selected enrollment pattern, if applicable, or the default enrollment pattern)

      When configuring key information policies at the enrollment pattern level, only key sizes that are valid for the selected algorithm will be available. These sizes are determined by the system-wide policy, enrollment pattern policy, and the supported key sizes in the template configuration.

      For PFX enrollment and CSR generation, dropdown menus for Key Algorithm and Key Size will appear if the selected enrollment pattern’s template and policy settings support multiple options. If the template configuration or applied policy restricts the template to a single key algorithm or size, the dropdowns will be disabled (grayed out).

      When ECCClosed Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. is selected as the key algorithm, a search-select field allows the choice of an elliptic curve. Only curves that are supported by the system-wide policy, the enrollment pattern policy, and the template’s configuration will be available in this field.

    Figure 110: CSR Generation

  3. In the Certificate Subject Information section of the page, enter appropriate subject information for your CSR.

    Note:   Some subject fields may be automatically populated by enrollment defaults configured at the system-wide or enrollment pattern level. You may override the system-populated data, if desired. Any regular expressions set at the system-wide or enrollment pattern level will be used to validate the data entered in the subject fields. Policies set at the system-wide or enrollment pattern level will affect the request. For more information, see Enrollment Pattern Operations. Subject data may also be overridden after an enrollment request is submitted either as part of a workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. (see Update Certificate Request Subject\SANs for Microsoft CAs) or using the Subject Format application setting (see Application Settings: Enrollment Tab).
  4. In the Subject Alternative Names section of the page, click Add and select from the dropdown to enter one or more SANs for your CSR. Use the Remove action button to remove an existing SAN.

    Note:  If the CSR generated has multiple SANs, they will not be overridden by the enrollment pattern default settings, nor the RFC 2818 compliance settings.

    The SAN field in this interface supports: DNS name, IP version 4 address, IP version 6 address, User Prinicpal Name, Email. Alternate SANs may be submitted in requests using the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..

    Figure 111: CSR Generation SAN Options

  5. At the bottom of the page, click the Generate button. A success message will appear if the process completes successfully. However, if a regular expressionClosed A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. has been defined system-wide or at the enrollment pattern level (see Enrollment Pattern: Enrollment RegExes Tab) for any fields on the CSR and the validation fails, an error notice will be displayed at the top of the CSR generation page. The error message will reflect the configuration defined at the enrollment pattern level, as it takes precedence over system-wide settings.

    Figure 112: CSR Generation Success

  6. Save or open your CSR once it has been successfully generated.
Tip:  Click the help icon () next to the CSR Generation page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).