Creating a new certificate

Creating a new certificate is not difficult, but it's a good idea to review the certificate object settings to familiarize yourself with information you'll need to provide when you create the certificate request.

IMPORTANT  You must have the View, Read, Write, and Create permissions in order to complete this task.

To create a new certificate

  1. In the TLS Protect menu bar, click Inventory > Certificates.

  2. Click Create a New Certificate.

  3. In Create a New Certificate, enter information into each of the tabs, as described below.

    1. Select the location where you want to store the certificate in the Certificate Folder, then click Submit.

    2. Enter the Nickname, which must be unique in the given folder.

      This usually matches the certificate's Common Name.

      Object names may not contain the backslash \ or less-than sign < characters. Object names (including their path ancestors in the policy tree) must be fewer than 255 total characters.

    3. (Optional) Enter a Description for the certificate you are creating.

    4. Select the Management Type.

      NOTE  Depending on what you select on this field, options on the following screens will be slightly different.

    5. Fill out other fields, including any custom fields, as needed, then click Next.
    1. Select the Hash Algorithm.

    2. Choose the CSR Generation method.

      If you chose Enrollment on the previous screen:

      1. If you are generating your own CSR:

        1. Paste the CSR into the Enter CSR field.
        2. If there are any policy issues with the SAN types, you will need to either resolve them by creating a new CSR with SAN types that match the policy, or move the certificate to another folder which allows the SAN types specified in the CSR.
        3. If there are any policy issues with domain components, you will need to either resolve them by creating a new CSR with domain components that match the policy (or, if the policy doesn't allow domain components, create a CSR without domain components), or more the certificate to another folder whose domain components policy match the ones specified in the CSR.

        Click Next. Skip to the next tab's instructions in the next section.

      2. If you are having Trust Protection Platform generate the CSR:

        1. Enter a Common Name and then fill out the organization and location fields.

        2. If allowed by policy, specify the domain component(s) that apply to this certificate.

          If this setting is not allowed by policy, this field will be hidden. For more information on domain components, see About Domain Components.

        3. Choose a Key Algorithm and Key Size.

          To see a comparison chart, see About RSA and elliptic curve cryptography (ECC) key algorithms.

          For help selecting an algorithm, see Choosing a key algorithm based on the certificate authority (CA).

        4. Click Next.

      If you chose Provisioning on the previous screen:

      1. Choose your Key and CSR Generation Options.

        The recommended option will be selected. For more information about remote versus central key generation, see Supported methods of key generation in the Administration Guide.

      2. Enter a Common Name and then fill out the organization and location fields.

      3. If allowed by policy, specify the domain component(s) that apply to this certificate.

        If this setting is not allowed by policy, this field will be hidden. For more information on domain components, see About Domain Components.

      4. Choose a Key Algorithm, and if necessary, an Elliptic Curve.

        To see a comparison chart, see About RSA and elliptic curve cryptography (ECC) key algorithms.

        For help selecting an algorithm, see Choosing a key algorithm based on the certificate authority (CA).

      5. Click Next.

    1. Enter the Subject Alternative Names (SANs).

      The SAN types available will depend on the policy settings that are applied to the folder you selected for this certificate. If permitted by policy, you can enter SANS information for the following SAN types:

      • DNS
      • IP
      • Email
      • UPN
      • URI

      SAN types that are prohibited by policy do not appear on the screen.

      To learn more about SANs, see About Subject Alternative Names (SANs).

    2. Specify Approvers for the certificate's issuance.
    3. Choose Yes or No for the certificate's Automatic Renewal.
    4. Use the list to select a Certificate Authority.
    5. If requested, enter additional information required by the certificate authority.

  4. Review the selection for Start Processing on Creation.

    This option has been automatically set based on your previous answers, so we recommend that you leave this setting alone. However, if you want to override the default action, you can do so, but know that it may mean previous settings in the wizard will not be honored.

  5. Click Create Certificate.

    You'll receive a confirmation that your certificate is being requested.

  6. If the Management Type is set to Provisioning, you will be prompted to add an installation now. If you want to add an installation, click Yes, Add Installation.

    For information about adding an installation, see Creating a certificate installation

After the certificate is returned from the Certificate Authority (CA), if you've set up email notifications, the Contacts you've listed will receive a confirmation email.

For information on how long it takes for a certificate authority to act on a certificate request, and how Trust Protection Platform handles delays in certificate issuance, see How long does it take for a certificate authority (CA) to issue a certificate?.