Managing CA Certificates

Officer can create and manage CA Certificates in this section

Generate CSR

For CSR, the following dialog will be shown:

Select the DN attribute type from the first dropdown and add it to Subject DN.

The following "DN attributes" are available:

Every added DN attribute is marked as required. Remove DN attributes by clicking next to them. Click next to Subject OID’s to add custom DN attributes.

Enter the OID and value of the custom DN attribute. Remove attributes by clicking the icon.

Click next to SAN Details to add Subject Alternative Name (SAN) attributes.

Select the type of SAN attribute from the dropdown list.

A new text field will appear next to the list. You can insert the value for the SAN attribute into the text field. If you want to remove SAN attributes, just click the icon next to them.

Press "Proceed" to continue. You will need to authenticate the action using your Officer token and then press Authenticate.

Click on Create to generate the CSR.

Upon completion, the following view will be displayed:

Click "Download CSR" to download the CSR.

CA Certificates

An Officer can manage the CA certificates in his/her own group from this interface.

To import an External CA certificate into the emCA Application, click on "Import Issuer Certificate".

Please note that only the CA certificate will be imported, not the CA key.

If you want to export the entire table to an XLSX file, click on "Export to Excel". The file will be automatically downloaded to the standard download location of your operating system.

Import Issuer Certificate

To import a CA certificate in response to a CSR, follow these steps:

1. Click on "Choose File" to select the CA certificate that needs to be imported.

2. Click on "Import X509" to upload the certificate.

3. You will be prompted to authenticate the action.

4. Use your Officer token to authenticate and proceed by pressing "Authenticate".

5. Click on "Import X509" again to complete the upload process.

View Certificate Details

Click on to view the CA certificate details:

Download Certificate Details

Click on to download the user certificate as

Select the export format of your choice and click Download to start the download of the user certificate.

The user certificate will be downloaded to the standard download location of your OS.

CSR Creation Using Existing Keypair

Click on to create a new CSR based on the same key. This option is only available for CA keys with pending CA certificate requests.

You will be forwarded to the following CSR creation UI:

You will have the option to edit the new CSR before creating it.

Click "Proceed" to continue.

You will be prompted to authenticate the action.

Authenticate using your Officer token and proceed by pressing "Authenticate".

Click on "Create" to generate the new CSR.

Revoke/ Suspend

An Officer can revoke CA certificates in his/her own group manually, if necessary, using this UI.

Revocations of CA certificates may become necessary if keys have been compromised.

Select a search criterion from the dropdown box on the left. The following search criteria are available:

  • Serial Number – the serial number of the CA certificate

  • Common Name – the common name (CN) of the CA certificate

  • Issuer Name – the CN of the issuer (= CA) of the CA certificate

To search for certificate information, you can enter search criteria in the appropriate fields. For all search criteria except the Issuer Name, you can enter the desired search value in the right field. However, when you search using the Issuer Name, the right field changes to a dropdown box. From this dropdown, you can select the name of any existing Certificate Authority (CA).

The image below illustrates an example of how to filter search results using a specific Issuer Name.

View Certificate

Click on to view the CA certificate details:

Revoke Certificate

Click on in order to start the revocation process for the selected CA certificate.

Select one of the following revocation reasons from the dropdown list:

Note: CA certificates cannot be suspended.

Provide an explanation for the revocation/suspension of the certificate in the Remarks section.

Select "Confirm" to proceed. You'll then need to authenticate the revocation by using your Officer token and pressing "Authenticate."

Warning: Revocations are permanent! Revoked CA certificates cannot be recovered by any means.

Click on "Revoke" to proceed with the revocation process.

Reinstate

Search

The user can search for CA certificates in his/her own group. The user cannot inspect the certificates of other groups.

Select a search criterion from the dropdown box on the left.

The following search criteria are available:

  • Serial Number – the serial number of the CA certificate

  • Common Name – the common name (CN) of the CA certificate

  • Issuer Name – the CN of the issuer (= CA) of the CA certificate

  • Status – the state of the certificate

“Search for” changes according to “Search by” criteria.

For sample, inserting the “Search by” Status filter, click "Search" to filter for all matching user certificates.

The following image shows an example of a CA-specific filter:

User can view and download the certificates in the available formats.

Sign CSR

An Officer can use the following UI in order to sign CA CSR from External CAs using existing CAs and certificate profiles from the emCA Application.

Steps to Generate a Certificate

  1. Select the configuration type, either Upload or Text Area.

  2. Click "Choose file" to select the CSR for signing.

  3. Pick the desired certificate profile from the dropdown list.

  4. Make sure that the certificate profile is of type CA, not Root.

  5. Upon selecting a certificate profile, the Certifying Authority field will be filled with the correct CA.

Click "View" next to the certificate profile to view it read-only.

Click on "View" next to the issuing CA in order to inspect the CA’s certificate.

To move on to the next stage, simply click on the "Proceed" button.

The following summary of the certificate request will be displayed:

The CSR Details section displays the data that can be obtained from the CSR (Certificate Signing Request) that has been submitted.

To download the CSR once again, please click on the icon provided.

To make changes to the loaded CSR information, simply click 'Edit'.

If the CSR is missing any required data (indicated by *), fill it in manually.

The Other Details section displays the key size generated by the CSR and the certificate options selected.

You will need to authenticate the generation of the certificate. Use your Officer token to authenticate and press "Authenticate" to proceed.

To finish generating the certificate, simply click on the "Sign CSR" button.

The following UI will be shown upon completion:

To get the latest CA certificate, all you need to do is click on the "Download Certificate" button.

Import PKCS12

An Officer can import existing PKCS12 keystores into the emCA Application HSM using the following UI.

The PKCS12 keystore must include a CA certificate; user certificates are ignored.

To choose the PKCS12 keystore from your system, simply click on the "Choose file" button.

Please enter the password for the PKCS12 keystore in the "Enter Password" field.

To select the key profile, you must choose an option from the drop-down menu.

To continue, please click on the "Proceed" button.

You will need to authenticate the upload using your Officer token. Press "Authenticate" to proceed.

Click on "Import" to upload the PKCS12 to the EmCA Application HSM.

PreviousCreating a User CertificateNextManage User Certificate

Last updated