Creating Certificates on the RA
The Enroll menu includes options for making certificate requests and retrieving (enrolling) certificates issued to the User.
Make New Request
The Make New Request page allows requesting a new certificate. Note that the options available are depending on your role, and when there is only one choice available and thus no selection to be made, the option is not displayed on the page. To view these predefined options, click Show details in the bottom-right of each section.
Select Request Template
Select Certificate Type to choose which type of certificate to request. If you have access to request multiple certificates, the options are available for selection in a list. Note that you will not have to make a selection if you only have access to one certificate type.
Secondly, select Certificate subtype. The subtype choice exists if there are multiple variants, for example, SMIME Signing or Encryption, or different validity periods for TLS certificates. If you only have access to one Certificate subtype, you will not be able to choose anything.
Third, you can choose which CA to request the certificate from if you have access to more than one CA. If only one CA choice is available, you will not be able to choose anything.
Last in the Request Template section you choose if you will provide a CSR or if the CA will generate a keystore including the private key, for you. If only one choice is available, you will not be able to choose anything.
Upload CSR
If the last choice in the Request Template section was Provided by User, you now get the ability to upload a CSR. Once uploaded some basic information about the CSR, such as the type and length of the public key is displayed.
Select Key Algorithm
If the last choice in the Request Template section was On Server, you can now choose the key type and key length, within the restrictions set by the policy.
Select Token Type
If the last choice in the Request Template section was Postpone, an End Entity will be created without enrolling a certificate or keystore. You can choose token type for the future enrollment.
Provide Request Info
This is the section where you enter your personal data for the request. This includes Distinguished Name, Subject Alternative name and permitted or excluded Name Constraint fields. Only available fields are displayed and an asterisk (*), marks required fields.
Provide External account ID
The External account binding section is only displayed if the selected certificate subtype has external account namespaces configured. The External account ID field is mandatory and the value must be present among the configured External Account Binding IDs, see External Account Bindings.
Provide User Credentials
The last section to fill in contains your User credentials. This can include a username and enrollment code, or only an enrollment code if the username is automatically generated. The enrollment code will be used when you, at a later stage, retrieve your certificate.
Confirm Request
The summary section allows you to verify the data entered before confirming the request. As the last step, you are asked to either Confirm the request to be sent for approvals or immediately issue the certificate if the certificate can be issued immediately for your role.
- Confirm Request: Creates a request for approval and provides you with a Request ID for tracking the request.
- Download: Immediately issues a certificate
Use Request ID
Allows you to check the status of a request sent for approval, using the Request ID, you were given. If the request is ready for issuance, you will then be able to provide the enrollment code that you either provided yourself or was sent. After giving the Request ID and an enrollment code, your certificate or keystore will be downloaded to you.
Use Username
As an alternative to using a Request ID, you may be provided with a username and an enrollment code by your administrator. These can be used on this screen in order to issue your certificate.
This function can be used to replace or re-enroll certificates. Depending on your settings, you might require a new approval request to be confirmed first.