Request and approve certificates through the Registration Authority

to ensure a secure and streamlined certificate lifecycle, you can leverage the {{k3}} registration authority (ra) to request certificates to be issued by a digicert ca this section outlines the following methods for certificate requests certificate signing requests (csrs), where the user provides a pre generated public key requests in which the {{k3}} generates the key pair through the pki it is important to ensure everyone follows proper approval processes for optimal security in your certificate management separating duties within a certificate signing workflow that uses a registration authority (ra) is a pivotal practice for safeguarding the integrity and trustworthiness of digital certificates by distributing certificate request, approval, and issuance roles across multiple individuals, you ensure that no single entity or individual has the unilateral power to issue, approve, and manage certificates, thereby significantly mitigating the risk of internal fraud, errors, or compromise certificate enrollment select the csr or generated pki certificate enrollment method and follow the instructions csr perform the following steps to use the csr to enroll the certificate go to the {{k}} registration authority endpoint in your browser ( https //\[kmes hostname ip] 8443 ) log in with an identity that has the permissions required to submit certificate requests select the signing certificate you want to use and leave the csr option selected select \[ next ] to proceed to the next step in the wizard select an approval group and select \[ next ] select \[ choose file ] and upload a csr, and select \[ next ] select an extension profile and optionally add user defined extensions if allowed for the profile, and select \[ next ] optionally, modify the dn profile information, and select \[ next ] enter a name for the request and set an expiration date for the certificate optionally, add notes and email addresses, and select \[ submit ] generated pki perform the following steps to enroll the certifcate through the generated pki go to the {{k}} registration authority endpoint in your browser ( https //\[kmes hostname ip] 8443 ) log in with an identity that has the permissions required to submit certificate requests select the signing certificate you want to use and select use remote generated pki select \[ next ] to proceed to the next step in the wizard select an approval group and select \[ next ] select an extension profile and optionally add user defined extensions if allowed for the profile, and select \[ next ] enter dn profile information and select \[ next ] specify the information below to finish configuring the request name for the request expiration date for the certificate emails you want to associate with the certificate request key type (e g , rsa 2048) password for the pkcs #12 file that will contain the pki when issued select \[ submit ] signing workflow and approval this section covers approving and denying requests, downloading issued certificates, and revoking certificates approve and deny requests perform the following steps to approve and deny requests go to the {{k}} registration authority endpoint in your browser ( https //\[kmes hostname ip] 8443 ) log in with an identity with the permissions required to approve certificate requests in the menu on the left side of the home page, select approve this displays a summary page that shows the number of pending, signed, and denied requests in the menu on the right side of the page, select one of the pending certificate requests under the approval group you created you can edit information in the basic info , v3 profiles , extensions , or dn tabs when you are ready to approve or deny the request, go to the approvals tab and select \[ approve ] or \[ deny ] download certificates perform the following steps to download issued certificates after you approve a certificate request, it shows a green checkmark next to the request in the right side menu select the approved request and go to the download tab select the desired file format in the drop down menu (such as pem x 509, der x 509, der pkcs #7, or der pkcs #12), and select \[ download ] revoke certificates perform the following steps to revoke certificates to revoke a certificate, select the request in the right side menu and go to revocation tab select a revoke reason in the drop down menu reasons include unspecified key compromise ca compromise affiliation changed superseded cessation of operation certificate hold removefromcrl privilege withdrawn aa compromise optionally, enter revoke notes select \[ revoke ]