POST CSR Generation Generate

The POST /CSRGeneration/Generate method is used to generate and configure a CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.. This method returns HTTP 200 OK on a success with a message body containing the text of the CSR file created.

This method generates a private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. and stores it in the Keyfactor Command database. When you use the CSR resulting from this method to enroll for a certificate through Keyfactor Command (see POST Enrollment CSR), the resulting certificate is married together with the stored private key and may then be download with private key (see POST Certificates Recover).

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/certificates/enrollment/csr/generation/

Note: This endpoint

An endpoint is a URL that enables the API to gain access to resources on a server. no longer includes the CSRFilePath return value in the response from the API

A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. call. Code separate from the API should be used to handle receipt of the CSR and placement on the file system.

Table 392: POST CSR Generation Generate Input Parameters

Name In Description

Curve

Body

A string indicating the elliptic curve for the requested key.

ECC curves may be specified using the well-known OIDs for ECC algorithms. Well-known OIDs include:

1.2.840.10045.3.1.7 = P-256/ prime256v1/ secp256r1
1.3.132.0.34 = P-384/secp384r1
1.3.132.0.35 = P-521/secp521r1

Key Length

Body

Required^*. An integer indicating the desired key size of the certificate. Supported key sizes are:

255
256
384
448
521
2048
3072
4096
8192

This value is required only if KeyType = RSA.

KeyType

Body

Required. A string indicating the desired key encryption of the certificate. Supported key types are:

RSA
ECC
Ed448
Ed25519

SANs

Body

An object that contains the elements for Keyfactor Command to use when generating the subject alternative name (SAN) for the certificate requested by the CSR, each of which is supplied as an array of strings. Show SAN key values.

Standard Value	Deprecated Value	Description
directory		Directory Name
dn		Distinguished Name
dns	dnsname, dns name	DNS Name
ediparty		EDI (Electronic Data Interchange) Party Name
email	mail	Email Address
guid		Globally Unique Identifier
ip	ip4, ipaddress	IP v4 Address Note: IP v4 and IP v6 addresses are handled separately in the Keyfactor Command Management Portal to allow for the application of separate regular expressions on enrollment, but they are stored using the standard ip value.
ip	ip6	IP v6 Address
oid		Object Identifier
other		Other Name
registered id		Registered ID (an OID)
upn		User Principal Name
uri		Uniform Resource Identifier
url		Uniform Resource Locator
x400		X400 Address
	rfc822	RFC 822 Name
	ms_ ntprincipal name	MS_ NTPrincipal Name (a string)
	ms_ ntds replication	MS_ NTDS Replication (a GUID)

For example:

Copy

"SANs": {
   "dns": [
      "dnssan1.keyexample.com",
      "dnssan2.keyexample.com",
      "dnssan3.keyexample.com"
   ],
   "ip": [
      "192.168.2.73"
   ]
}

Subject

Body

Required. A string containing the subject name for the certificate using X.500 format for the full distinguished name (DN). For example:

Copy

"Subject": "CN=websrvr14.keyexample.com, OU=IT, O=\"Key Example, Inc.\", L=Independence, ST=OH, C=US"

Show subject name fields.

Name	Abbreviation	Description
Common Name	CN	Required^*. The desired common name of the certificate to be requested with the CSR. This field is required if the Common Name Regular Expression application setting is set to the default value of .+. See Application Settings: Enrollment Tab for more information.
Organization	O	The desired organization of the certificate to be requested with the CSR.
Organizational Unit	OU	The desired organizational unit of the certificate to be requested with the CSR.
Locality	L	The desired city of the certificate to be requested with the CSR.
State	ST	The desired state of the certificate to be requested with the CSR.
Country	C	The desired country (two characters) of the certificate to be requested with the CSR.
Email	E	The desired email address of the certificate to be requested with the CSR.

Template

Body

A string indicating the desired template to be used for the certificate to be requested with the CSR. The template must have been configured in Keyfactor Command to support CSR generation. This field is optional.

Important: The template will not be included in the CSR. The template is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports template-level regular expressions for both subject parts and SANs. If system-wide and template-level regular expressions exists for the same field and you select a template, the template-level regular expression is applied.

If you choose to select a template during CSR generation, you will need to choose the same template during CSR Enrollment, because the CSR file will contain elements from the template which may conflict with other template configurations.

Table 393: POST CSR Generation Generate Response Data

Name	Description
CSR	The text of the CSR in PEM format.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Version v12.2

On this page: