CSR Enrollment

The certificate signing requestClosed (CSRClosed) enrollmentClosed page provides the ability to submit a CSR and download the resulting certificate.

Important:  Before you can use the CSR enrollment function, you must configure at least one templateClosed for enrollment by checking the CSR Enrollment box under Allowed Enrollment Types in the certificate template details. See Configuring Template Options.

To request a certificate via CSR:

  1. Generate a CSR. This can be done within the target application (e.g. Microsoft IIS), by using a tool such as certutil or OpenSSL, or by using the Keyfactor Command CSR generation tool (see CSR Generation). Have the certificate file ready.
  2. In the Management Portal, browse to Enrollment > CSR Enrollment.
  3. From the Certificate Request Information section select a certificate template from the Template dropdown, if you are enrolling from an enterprise CAClosed. The templates are organized by configuration tenantClosed (formerly known as forestClosed). If you have multiple configuration tenants and templates with similar names, be sure to select the template in the correct configuration tenant.

    Tip:  If you paste the contents of your generated certificate file before selecting a template, the CSR Content and the CSR Name tabs will be erased. You will need to re-paste the certificate data once you have selected a template.

    Figure 100: Select a Certificate Template

  4. Select the Certificate Authority from which the certificate should be requested, or select Auto-Select. Only CAs that have the selected template available for enrollment or are standalone, if you check the stand-alone CA box, will be shown. If Auto-Select is chosen, a CA will be chosen at random from the certificate authorities available for enrollment with the provided Template. This field is optional unless the enrollment is being done against a standalone CA, in which case it is required.

    Tip:  If you are enrolling from a standalone CA, check the Use a stand-alone CA box instead of selecting a template. The check box for stand-alone CAs only appears if you have a stand-alone CA configured for enrollment.

    Figure 101: CSR Enrollment for Stand-Alone CA

  5. Paste your CSR into the CSR Content text area, with or without the BEGIN REQUEST/END REQUEST delimiters.

    Figure 102: CSR Enrollment: CSR Content

  6. The CSR contents will be parsed, and you will automatically be switched to the CSR Names view. Review the data to be sure it is as expected.

    Figure 103: CSR Enrollment: CSR Names

    Note:  If a system-wide or template-level regular expression exists for a subject part or SANClosed, and the subject part or SAN is left blank, the regular expression will be applied to an empty string for that part. For example, if you have a regular expression on organization, but do not supply an organization, the regular expression will be applied to a blank string as if that were supplied as the organization.
  7. The Subject Alternative Names section of the page appears if you enable the Allow CSR SAN Entry application setting (see Application Settings: Enrollment Tab). This option is disabled by default. Click Add and select from the dropdown to enter one or more SANs for your CSR. Use the Remove action button to remove an existing SAN. The SAN field supports: DNS name, IP version 4 address, IP version 6 address, User Principal Name, and Email.

    Figure 104: CSR Enrollment SAN options

    Note:  SANs submitted outside the CSR may be ignored, appended to SANs in the CSR, or overwrite the SANs in the CSR request depending on the type and configuration of the issuing CA. Please be sure to check that the certificate has the correct SANs after issuance. Any SAN added automatically as a result of the RFC 2818 compliance settings will still be added alongside anything you add here. For a Microsoft CA, review the SAN Attribute Policy Handler for the Keyfactor CA Policy Module (see Installing the Keyfactor CA Policy Module Handlers) for more information.
  8. If template-specific enrollment fields have been defined (see Enrollment Fields Tab) for the selected template, the fields will display in the Additional Enrollment Fields section. The types of fields shown could be either blank (string) fields or multiple choice drop-down fields depending on how they were configured on the template. All additional enrollment fields are mandatory.

    Figure 105: Populate Enrollment Fields

  9. In the Certificate Metadata section of the page, populate any defined certificate metadataClosed fields (see Certificate Metadata and Metadata Tab) as appropriate for the template. These fields may be required or optional depending on your metadata configuration. Required fields will be marked with *Required next to the field label. Any completed values will be associated with the certificate once it has been synchronized with Keyfactor Command. The order in which the metadata fields appear can be changed (see Sorting Metadata Fields).

    Tip:  If a hint has been provided for a specific metadata field, it will display in parentheses to the right of the metadata label.

    Figure 106: Populate Metadata Fields

  10. At the bottom of the page, select the radio button for the desired encoding Format (PEMClosed or DERClosed). The Include Subject Header toggle is only displayed when PEM is selected and defaults to On. When set to Off the first line in the PEM file which contains the certificates subject information is removed. When set to On the first line in the PEM file that contains the certificates subject information is included.

    Figure 107: Select a Certificate Format

  11. Click the Enroll button to begin the certificate request process.

    Note:  If you attempt to complete a CSR enrollment using a CSR generated within Keyfactor Command (see CSR Generation), you will receive a Confirm Operation message requiring you to click OK to confirm and enroll.

    Figure 108: Enroll: Confirm Operation

Tip:  Click the help icon () next to the CSR Enrollment page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).