Processing a Certificate Signing Request

Issue a certificate by processing a Certificate Signing Request (CSR) for pre-generated keys.

To process a Certificate Signing Request

  1. Select Create > PKIaaS.
    images/download/attachments/199797131/image-2022-11-23_13-57-29-version-1-modificationdate-1679469112010-api-v2.png

  2. Select the Certificate Authority.

  3. Select a Certificate Profile configured to process Certificate Signing Requests.

  4. Click Next to display the certificate form.

    images/download/attachments/199797131/image-2022-11-23_13-58-41-version-1-modificationdate-1679469111893-api-v2.png

  5. Configure the following settings:

  6. Click Submit to issue the certificate.

  7. On the confirmation page, click the link to download the issued certificate.

Subject DN

Write the Distinguished Name (DN) of the certificate subject. For example:

CN=www.entrust.com, OU=PKIaaS, O=Entrust, c=CA

Certificate Expiry

Select the certificate expiration date. Specifically, the certificate will expire at 23:59:59 on the selected date, calculated for the time zone set in your browser.

Because of Daylight Savings Time (if applicable) and the time zone set in your browser, you may see a discrepancy between the actual certificate expiry date (the one you set) and the expiry date you will see in some system viewers or parsers. The Windows System Viewer, in particular, does not handle Daylight Savings Time correctly.

Subject Alternate Names

Select optional Subject Alternate Names (SAN) for the certificate subject – for example:

  • S/MIME email certificates require an RFC822 Name email address.

  • Network device or web server certificates for TLS authentication require a DNS Name or IP Address value matching the URL used by the client.

See below for the supported types.

The selected CA profile may forbid some Subject Alternate Names.

SAN Type

Sample value

​DNS Name

server.example.com

IP Address

192.168.1.1

RFC822 Name

john.doe@example.com

Directory Name

cn=john doe,o=example inc,c=us

Uniform Resource Identifier

http://example.com/

Registered ID

1.2.3.4.5.6.7.8

Other Name

oBgGCCsGAQUFBwgDoAwwCgwIMTIzNDU2Nzg=

The Other Name value is a DER encoding because this type supports an unbounded number of possible subtypes which often cannot be represented as simple strings.

Certificate Signing Request (CSR)

Paste the Certificate Signing Request (CSR) contents.

PKIaaS currently does not support copying DNs or SANs from the CSR. You must manually input the DNs and SANs on the certificate creation page. As explained in Private SSL (ACMEv2) certificate profiles, PKIaaS has two certificate profiles that use the CN (common name) input value to fill the DNS Name field.