Skip to main content
To ensure a secure and streamlined certificate life cycle, you can leverage the KMES Series 3 Registration Authority (RA) to request certificates to be issued by a DigiCert CA. This section outlines the following methods for certificate requests:
  • Certificate Signing Requests (CSRs), where the user provides a pre-generated public key.
  • Requests in which the KMES Series 3 generates the key pair through the PKI.
It is important to ensure everyone follows proper approval processes for optimal security in your certificate management. Separating duties within a certificate-signing workflow that uses an RA is a pivotal practice for safeguarding the integrity and trustworthiness of digital certificates. By distributing certificate request, approval, and issuance roles across multiple individuals, you ensure that no single entity or individual has the unilateral power to issue, approve, and manage certificates, thereby significantly mitigating the risk of internal fraud, errors, or compromise.

Certificate enrollment

Select the CSR or Generated PKI certificate enrollment method and follow the instructions:

CSR

Perform the following steps to use the CSR to enroll the certificate:
1
Go to the KMES Registration Authority endpoint in your browser (https://[kmes_hostname_ip]:8443).
2
Log in with an identity that has the permissions required to submit certificate requests.
3
Select the signing certificate you want to use and leave the CSR option selected. Select [ Next ] to proceed to the next step in the wizard.
4
Select an Approval Group and select [ Next ].
5
Select [ Choose File ] and upload a CSR, and select [ Next ].
6
Select an extension profile and optionally add user-defined extensions if allowed for the profile, and select [ Next ].
7
Optionally, modify the DN Profile information, and select [ Next ].
8
Enter a name for the request and set an expiration date for the certificate. Optionally, add notes and email addresses, and select [ Submit ].

Generated PKI

Perform the following steps to enroll the certifcate through the generated PKI:
1
Go to the KMES Registration Authority endpoint in your browser (https://[kmes_hostname_ip]:8443).
2
Log in with an identity that has the permissions required to submit certificate requests.
3
Select the signing certificate you want to use and select Use remote generated PKI. Select [ Next ] to proceed to the next step in the wizard.
4
Select an Approval Group and select [ Next ]
5
Select an extension profile and optionally add user-defined extensions if allowed for the profile, and select [ Next ].
6
Enter DN Profile information and select [ Next ].
7
Specify the information below to finish configuring the request:
  • Name for the request
  • Expiration date for the certificate
  • Emails you want to associate with the certificate request
  • Key Type (e.g., RSA 2048)
  • Password for the PKCS #12 file that will contain the PKI when issued
8
Select [ Submit ].

Signing workflow and approval

This section covers approving and denying requests, downloading issued certificates, and revoking certificates.
Info:During approval, the KMES validates that the imported DigiCert certificate, its intermediate CA, and the selected DigiCert product are compatible. If they are not compatible, the signing request is blocked before it is submitted to DigiCert.

Approve and deny requests

Perform the following steps to approve and deny requests:
1
Go to the KMES Registration Authority endpoint in your browser (https://[kmes_hostname_ip]:8443).
2
Log in with an identity with the permissions required to approve certificate requests.
3
In the menu on the left side of the home page, select Approve. This displays a summary page that shows the number of pending, signed, and denied requests.
4
In the menu on the right side of the page, select one of the pending certificate requests under the Approval Group you created.
5
You can edit information in the Basic Info, v3 Profiles, Extensions, or DN tabs. When you are ready to approve or deny the request, go to the Approvals tab and select [ Approve ] or [ Deny ].

Download certificates

Perform the following steps to download issued certificates:
1
After you approve a certificate request, it shows a green checkmark next to the request in the right-side menu. Select the approved request and go to the Download tab.
2
Select the desired file format in the drop-down menu (such as PEM X.509, DER X.509, DER PKCS #7, or DER PKCS #12), and select [ Download ].

Revoke certificates

Perform the following steps to revoke certificates:
1
To revoke a certificate, select the request in the right-side menu and go to Revocation tab.
2
Select a Revoke Reason in the drop-down menu. Reasons include:
  • Unspecified
  • Key Compromise
  • CA Compromise
  • Affiliation Changed
  • Superseded
  • Cessation of Operation
  • Certificate Hold
  • RemoveFromCRL
  • Privilege Withdrawn
  • AA Compromise.
3
Optionally, enter Revoke Notes.
4
Select [ Revoke ].