CSR Generation

The Certificate Signing Request A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.) generation page provides the ability to enter a subject, SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common., key size The key size or key length is the number of bits in a key used by a cryptographic algorithm., and enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). pattern information and generate a CSR based on this information. You can then use this CSR to request a certificate using the CSR enrollment function (see CSR Enrollment) or any other enrollment method requiring a CSR.

The intended use case for CSR generation in Keyfactor Command is for cases such as an offline CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. where it is desired that Keyfactor Command be able to store the private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.. See CSR Generation and Private Key Storage.

Note: If you attempt to complete a CSR enrollment using a CSR generated within Keyfactor Command, you will receive a Confirm Operation message requiring you to click OK to confirm and enroll unless the Enable warning for CSR generated in Command application setting has been disabled (see Application Settings: Enrollment Tab).

Figure 108: Enroll: Confirm Operation

CSR Generation and Private Key Storage

When you use the CSR generation option, the encrypted private key of the request is stored in the Keyfactor Command database.

When you generate a certificate using that CSR, it will be married together with the private key when the certificate synchronizes into the Keyfactor Command database.

The certificate enrollment with the CSR does not need to be completed in Keyfactor Command (using CSR Enrollment) in order for the private key to be married with the certificate. Certificates enrolled outside of Keyfactor Command using CSRs generated within Keyfactor Command and synchronized via the CA synchronization process (see Certificate Authorities), or manually imported using the Add Certificate option (see Add Certificate) will also be married with their private keys.

To generate a CSR:

In the Keyfactor Command Management Portal, browse to Enrollment > CSR Generation.
In the Certificate Request Details section of the page:
1. Select an Enrollment Pattern, if desired. The enrollment patterns are organized by configuration tenant A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. (formerly known as forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers.). If you have multiple configuration tenants and enrollment patterns with similar names, be sure to select the enrollment pattern in the correct configuration tenant. Enrollment patterns must have CSR Generation selected as an Allowed Enrollment Type on the enrollment patterns basic information tab (see Basic Information Tab) to appear in the dropdown.
  
  Important: The enrollment pattern will not be included in the CSR. It is referenced in order to retrieve key and other information to help populate the CSR. In addition, the CSR generation function supports regular expressions for both subject parts and SANs at the enrollment pattern level. The regular expressions set at the enrollment pattern level take precedence over the system-wide regular expressions.
  If you choose to select an enrollment pattern during CSR generation, you must choose the same enrollment pattern during CSR enrollment, because the CSR will contain elements from the enrollment pattern that may conflict with other enrollment pattern configurations.
2. Select a Key Algorithm and Key Size or Curve as applicable for the request. If you have selected an enrollment pattern and your selected enrollment pattern supports multiple options for key size, key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519)., and/or elliptic curve—and system-wide or enrollment pattern policies allow multiple values—this dropdown will be limited to those values. If the template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. provides only one value or the policy restricts the options, these dropdowns will be grayed out. When enrolling with the enrollment pattern, the key size of the request is validated against the key size(s) supported by the enrollment pattern and the associated template.
  Note: The supported key algorithms for enrollment are determined based on:
  - System-wide enrollment pattern policy
  - Individual enrollment pattern policy
  - Supported algorithms set on the template at the CA level
  When configuring key information policies at the enrollment pattern level, only key sizes valid for the selected algorithm will be available. These are governed by the system-wide policy, enrollment pattern policy, and supported key sizes.
  For PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment and CSR generation, dropdowns for Key Algorithm and Key Size are displayed if the template for the selected enrollment pattern, with its applied policy settings, supports multiple options. If the certificate template configuration or applied policy limits the template to a single key algorithm or size, the dropdowns will be grayed out.
  If ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. is selected as the key algorithm, an elliptic curve can be chosen using a search-select field. Only curves supported by the system-wide policy, enrollment pattern policy, and the template's configuration will appear in this field.
3. Slide the Generate Hybrid CSR toggle to enable this option, if desired. This option allows you to add a second key to the CSR using a Post-Quantum Cryptography Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods. (PQC Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods.) key algorithm. The following key algorithms are supported:
  - ML-DSA-44
  - ML-DSA-65
  - ML-DSA-87
  The resulting CSR can be used to enroll for a hybrid certificate A certificate with both a standard key and a post-quantum key. (a certificate with two key pairs).
  
  Note: This option will be grayed out if you selected an enrollment pattern.
Figure 109: CSR Generation
In the Certificate Subject Information section of the page, enter appropriate subject information for your CSR.

Note: Some subject fields may be automatically populated by enrollment defaults configured at the system-wide or enrollment pattern level. You may override the system-populated data, if desired. Any regular expressions set at the system-wide or enrollment pattern level will be used to validate the data entered in the subject fields. Policies set at the system-wide or enrollment pattern level will affect the request. For more information, see Enrollment Pattern Operations. Subject data may also be overridden after an enrollment request is submitted either as part of a workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. (see Update Certificate Request Subject\SANs for Microsoft CAs) or using the Subject Format application setting (see Application Settings: Enrollment Tab).
In the Subject Alternative Names section of the page, click Add and select from the dropdown to enter one or more SANs for your CSR. Use the Remove action button to remove an existing SAN.

Important: If the Enforce RFC 2818 Compliance option has been enabled for the selected enrollment pattern (see Enrollment Pattern Operations) or system-wide, a DNS The Domain Name System is a service that translates names into IP addresses. name will be automatically populated with the Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). (CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).) and will be set to read only.

Note: If the CSR generated has multiple SANs, they will not be overridden by the enrollment pattern default settings, nor the RFC 2818 compliance settings.

The SAN field in this interface supports: DNS name, IP version 4 address, IP version 6 address, User Prinicpal Name, Email. Alternate SANs may be submitted in requests using the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..

Figure 110: CSR Generation SAN Options
At the bottom of the page, click the Generate button. A success message will appear if the process completes successfully. However, if a regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. has been defined system-wide or at the enrollment pattern level (see Enrollment RegExes Tab) for any fields on the CSR and the validation fails, an error notice will be displayed at the top of the CSR generation page. The error message will reflect the configuration defined at the enrollment pattern level, as it takes precedence over system-wide settings.

Figure 111: CSR Generation Success
Save or open your CSR once it has been successfully generated.

Tip: Click the help icon (

) next to the CSR Generation page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).

Version v25.1

On this page: