Issue your first certificate

Certificates in 4-Steps

The main purpose of MTG Certificate Lifecycle Manager Server is to issue and manage digital X.509 certificates. A certificate is created (issued) inside a specific realm and is bound to it.

A certificate is always issued for a specific end-entity, under a certain policy and realm. In addition, a certificate can only be issued if a corresponding certificate request has been created. Therefore, to issue a certificate you must go through the following steps:

  1. Choose a realm.

  2. Specify the policy under which a certificate should be issued.

  3. Select or create the end-entity for which a certificate is requested.

  4. Choose whether the key pair should be generated on the server side or the public key is delivered in the form of a PKCS#10 request.

  5. Specify the cryptographic parameters and certificate validity.

1. Issue Certificate

A certificate issuance process is initialized via the Create…​ ~ Certificate quick access button at the top right. It is a multi-step wizard that covers all the required information.

The realm you are currently logged-in is the realm in which the certificate is issued. For more on realms, see Realms.

1.1. Choose Policy

The first step is to choose the policy (Policies) that will define the certificate creation process, the CA, and the certificate template. Here, you can either pick an existing policy or create a new one.

1.2. Choose End-entities

The next step is to choose the end-entities (End-entities) for which to issue the certificate. Here, you can either pick from existing end-entities or create a new one. The existing end-entities that are provided satisfy the rules defined in the chosen policy. In case of policy change so that the previously selected end-entities do not abide by the current policy’s end-entity rules, the certificate creation fails for those end-entities and appropriate message is displayed. When selecting an end-entity that is associated with a user certificate, the system checks whether the attributes of the end-entity match the user data stored in the identity provider. If this check fails, the certificate creation for this end-entity fails and an appropriate message is displayed.

1.3. Choose Certificate Source

Next, the source of the public key to be certified must be chosen. Two sources are supported:

1.3.1. PKCS10 Request

The public key is provided in the form of a PKCS#10 Request. Only the public key is used from the PKCS#10 structure, all other content is ignored.

1.3.2. Server-Side Key Generation

In this mode, the CA is responsible for generating and transporting the key pair to the user. After the certificate creation has been completed, an extra step becomes available that allows the download of the created key pair in an encrypted keystore format.

1.4. Certificate Request

Depending on the choice of the previous step, the user is provided with the option to either upload his PKCS#10 Request or choose the cryptographic parameters for the server-side key generation. The RSA, EC and EdDSA cryptographic algorithms are supported. Additionally, it is possible to provide a validity period preference to the CA. Depending on the CA’s configuration, the CA can respect this preference or completely ignores it.

Usually, before the creation of a certificate, a certificate request is created that requires either email verification or manual approval based on the used policy’s parameters. For further details about the flows of certificate requests, see Cert Requests.