CSR Generation

The Certificate Signing RequestClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.) generation page provides the ability to enter a subject, SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common., key sizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm., and templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. information and generate a CSR based on this information. You can then use this CSR to request a certificate using the CSR enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). function (see CSR Enrollment) or any other enrollment method requiring a CSR.

When you use the CSR generation option, the encrypted private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. of the request is stored in the Keyfactor Command database. When you generate a certificate using that CSR, it will be married together with the private key when the certificate synchronizes into the Keyfactor Command database. The certificate enrollment with the CSR does not need to be completed in Keyfactor Command (using CSR Enrollment) in order for the private key to be married with the certificate. Certificates enrolled outside of Keyfactor Command using CSRs generated within Keyfactor Command and synchronized via the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization process (see Certificate Authorities) or manually imported using the Add Certificate option (see Add Certificate) will also be married with their private keys.

To generate a CSR:

  1. In the Keyfactor Command Management Portal, browse to Enrollment > CSR Generation.
  2. In the Certificate Request Details section of the page:

    1. Select a Template, if desired. The templates are organized by configuration tenantClosed A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. (formerly known as forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers.). If you have multiple configuration tenants and templates with similar names, be sure to select the template in the correct configuration tenant.

      Important:  The template will not be included in the CSR. The template is referenced in order to retrieve key size and other information to help populate the CSR. Also, the CSR generation page supports template-level regular expressions for both subject parts and SANs. If system-wide and template-level regular expressions exists for the same field and you select a template, the template-level regular expression is applied.

      If you choose to select a template during CSR generation, you will need to choose the same template during CSR Enrollment (see CSR Enrollment) because the CSR file will contain elements from the template which may conflict with other template configurations.

    2. Select a Key Length for your CSR. If you have selected a template, the dropdown will be limited to the value supplied by the template. When enrolling with the template, the key size of the request is validated against the template key size.

    Figure 91: CSR Generation

  3. In the Certificate Subject Information section of the page, enter appropriate subject information for your CSR.

    Note:   Some subject fields may be automatically populated by system-wide or template-level enrollment defaults. You may override the system-populated data, if desired. Any system-wide or template-level regular expressions will be used to validate the data entered in the subject fields. System-wide or template-level policies will affect the request. For more information, see Certificate Template Operations. Subject data may also be overridden after an enrollment request is submitted either as part of a workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. (see Update Certificate Request Subject\SANs for Microsoft CAs) or using the Subject Format application setting (see Application Settings: Enrollment Tab).
  4. In the Subject Alternative Names section of the page, click Add and select from the dropdown to enter one or more SANs for your CSR. Use the Remove action button to remove an existing SAN.

    Note:  If the CSR generated has multiple SANs, they will not be overridden by the template default settings, nor the RFC 2818 compliance settings.

    The SAN field supports:

    • DNS name
    • P version 4 address
    • IP version 6 address
    • User Prinicpal Name
    • Email

    Figure 92: CSR Generation SAN Options

  5. At the bottom of the page, click the Generate button. You will see a success message. If any template-level or system-wide regexes have been applied to any fields on the CSR and failed you will receive a notice at the top of the CSR generation page indicating the error as defined on the template (whether template or system-wide settings prevail).

    Figure 93: CSR Generation Success

  6. Save or open your CSR once it has been successfully generated.
Tip:  Click the help icon () next to the CSR Generation page title to open the embedded web copy of the Keyfactor Command Reference Guide to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.