Enrolling a Client Certificate

Client certificate enrollment refers to the process of creating a digital ID for an individual/device for authentication/encryption purposes. It follows the same process as a server certificate.

Note: These certificates cannot be hosted on clients.

Important: In compliance with recent updates from the CA/Browser Forum S/MIME Baseline Requirements, for DigiCert-issued S/MIME certificates, it is now mandatory to include the first name and last name, or a pseudonym in the subject information during certificate enrollment.

However, in the current implementation:

The discovery feature does not retrieve these values in the metadata.
The upload certificate feature is not compatible with this enhancement since it does not have with a direct mapping to the certificate type, unless the certificate is discovered via a Certificate Authority scan.

To enroll a client certificate:

Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Client
The Enroll Client Certificate page is displayed.
In the General Information section, from the dropdown list, select the required Assign Group.

Enter/Select the CA Details.

Table 1. Field descriptions for the CA Details section
Field	Description
*Certificate Authority	Note: Depending on the CA selected, the rest of the fields will be displayed. From the dropdown list, select the required certificate authority (CA). Note: For enrolling certificates with policies using Google CA, consider the following points: Certificate Enrollment - Strict Policy The Common Name will not be pre-filled from the policy. The following validation will be seen based on strict policy guidelines. If the Common Name’s domain name is not present in the Allowed Domain Name list, an error validation will be shown upon saving the policy details. Certificate Enrollment - Suggestive Policy The Common Name will not be pre-filled from the policy The following validation will be seen based on strict policy guidelines. If the Common Name’s domain name is not present in the Allowed Domain Name list, the non-compliant policy will be created. If the Common Name’s domain name is present in the Blocked Domain Name list, an error validation will be shown upon saving the policy details. Note: For Certificate Authority = EJBCA, an additional set of fields, Vendor specific details is displayed after the CA Details section. Instructions on specifying the vendor specific details are covered in step 4.
*Renew Automatically	Note: If the Override feature is enabled for the certificate group selected from the Assign Group dropdown list, auto renew settings done in the enrollment page will be overwritten by the group level settings. If Regenerate Automatically has been enabled for the selected certificate group, the Renew Automatically field is not displayed here. To automatically renew this certificate: Turn on the Renew Automatically toggle. The *Start Renewing field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the renewal process should start. Valid range for number of days: 1 to 120 Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed. Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
Subscribe Email Alerts for Auto-Renewal	This field is displayed when Renew Automatically is enabled. To receive email notifications every time this certificate is auto-renewed, select this checkbox. The email notification includes certificate details, the type of auto action (renewal, in this case), and the outcome (success/failure). These notifications help administrators stay informed of automated lifecycle actions, reducing the overhead to manually track them. If enabled here, this setting overrides the group setting for email alerts subscription, unless group-level overrides have been enforced.
*Regenerate Automatically	To automatically regenerate this certificate: Turn on the Regenerate Automatically toggle. The *Start Regenerating field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start. Valid range for number of days: 1 to 120 Note: This value can exceed the certificate's validity in case of short-lived certificates. Note: This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates). The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
Subscribe Email Alerts for Auto-Regenerate	This field is displayed when Regenerate Automatically is enabled. To receive email notifications every time this certificate is auto-regenerated, select this checkbox. The email notification includes certificate details, the type of auto action (regeneration, in this case), and the outcome (success/failure). These notifications help administrators stay informed of automated lifecycle actions, reducing the overhead to manually track them. If enabled here, this setting overrides the group setting for email alerts subscription, unless group-level overrides have been enforced.
*Re-enroll Automatically	To automatically regenerate this certificate: Turn on the Re-enroll Automatically toggle. The *Start Re-enrollng field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start. Valid range for number of days: 1 to 120 Note: This value can exceed the certificate's validity in case of short-lived certificates. Note: User overrides are allowed unless Group Override is active, in which case the group's configuration takes precendence.
*CA Account	To which account the enrollment request to be submitted.
Certificate Type	Select the desired certificate type from the dropdown list.
*Division	Select the division to which the certificate must be enrolled. Note: This field will be shown only for Digicert CA.
Certificate Profile	Note: This field is applicable only for AppViewX CA and Google CA. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list. From the dropdown list, select the profile with which the certificate must enroll.
*RA Workflow	Note: This field is displayed when Certificate Authority = IDnomic and a RA setting is selected from the CA Accounts dropdown list. From the dropdown list, select the RA workflow that will be used for certificate enrollment. For the details of a workflow, you can check them on your CA portal on IDnomic.
*Issuer Location	Select the location of the issuer CA from the dropdown. Note: This is applicable only for Google CA.
*Issuer Name	Select the name of the issuer CA from the dropdown. Note: This is applicable only for Google CA.
*Issuance Policy	Note: This field is applicable only for Futurex. From the dropdown list, select the issuing policy for this certificate. An issuance policy defines the rules Futurex must follow to process the certificate enrollment request. The selected issuance policy will determine the approval requirements for the certificate, the cryptographic settings, notification triggeres and other configuration parameters.
*Root CA	Note: This field is applicable only for Futurex. From the dropdown list, select the root CA for the certificate being enrolled. This is the trusted root certificate authority that anchors the certificate chain. All issued certificates will ultimately chain up to this root.
*Signing CA	Note: This field is applicable only for Futurex. From the dropdown list, select the Certificate Authority that will sign the requested certificate.
*Extension Profiles	Note: This field is applicable only for Futurex. Extension profiles enable you to further modify your certificates with additional field, attributes, and requirements. From the dropdown list, select the extension profile that will be used for the certificate being enrolled. To read more on and for instructions to create extension profiles, refer the Futurex documentation. For links, see the References section.
*Approval Group Name	Note: This field is applicable only for Futurex. An approval group is a predefined set of users or roles authorized to approve the certificate enrollment request. From the dropdown list, select the approval group to authorize this enrollment request. To read more on and for instructions to create and manage approval groups, refer the Futurex documentation. For links, see the References section.
*Connector Name	Enter the friendly name for Certificate Authority connector in this field which will be displayed in the holistic view on saving this form.
Description	Enter the description in this field. Note: Character limit: 2000 characters
*CSR Generation	Select the CSR generation option as required. Options are: Upload CSR: Uploaded CSR will be used as the source to populate CSR parameters and submit to CA. To upload a CSR: Under CSR Generation, select Upload CSR. The Please paste your CSR field is displayed. From the Please paste your CSR field, select Browse. Navigate to the location of your CSR file, and click Open. Click Upload. On successful upload of this file, the CSR fields are populated with the corresponding details. HSM: The private key and CSR will be created in the selected HSM device based on CSR parameters given. To generate the private key and the CSR, based on the CSR parameters given in an HSM device: Under CSR Generation, select HSM. To enter/select the configuration details for CSR generation, refer the field descriptions given here. End Point: The private key and CSR will be created in the selected end point device based on the CSR parameters given. To generate the private and the CSR, based on the CSR parameters given in an endpoint device: Under CSR Generation, select End Point. To enter/select the configuration details for CSR generation, refer the field descriptions given here. AppViewX - Private key and CSR will be created in AppViewX based on CSR parameters given. Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script: `db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})` Note: For all CA types except Amazon, you have the option to generate the CSR.
*: Mandatory fields

Table 2. Field descriptions for using HSM as the CSR generation source
Field	Description
*Device Type	From the dropdown list, from the following options, select the type of device on which the private key and the CSR will be generated: HSM Devices (AppViewX will directly communicate with the HSM device for the CSR generation.) ADC Devices (The selected ADC device will interact with the HSM to generate the CSR and subsequently transmit the relevant details to AppViewX.)
*Vendors	This field is displayed only when Device Type = ADC Devices. From the dropdown list, select the required ADC device vendor.
Module Number	This field is displayed when Device Type = ADC Devices and Vendors = Thales. In the event that multiple HSMs are configured on a system, module number is a unique identifier assigned to each HSM. In this field, enter the module number assigned to the selected Thales device.
*Devices	From the dropdown list, select the required HSM/ADC device. This field is populated based on the Device Type and Vendors selected. For Device Type = HSM Devices The dropdown list is populated with HSM devices that were enabled for CSR generation at the time of onboarding and have been successfully onboarded. To read more on onboarding HSM devices in AppViewX, click here. For Device Type = ADC Devices The dropdown list is populated with F5 devices that are in the Managed state. Currently, AppViewX enables HSM key generation only through F5 devices for the following HSM vendors and their respective supported versions: Fortanix (v14 and onwards) Thales (v12 and onwards) Safenet (v12 and onwards)
*Key Handler Name	This field is displayed when Device Type = HSM Devices. Key handler name refers to an identifier used to reference a cryptographic key managed by an HSM device. In this field, enter the reference name assigned to the Master Encryption Key stored in the selected HSM device.
*Key Reference Name	This field is displayed when Device Type = ADC Devices. Key reference name refers to an identifier used to reference a private key that is stored locally on an ADC device or is securely accessible to the device via an external HSM. Enter the desired handler name in the field.

Table 3. Field descriptions for using an endpoint device as the CSR generation source
Field	Description
Category	From the following options, select the ADC device category: ADC Cloud Server Firewall.
Vendor	From the dropdown list, select the vendor for the end point device. Note: The dropdown list for this field is populated based on the Category selected.
*Devices	This field lists the end point devices present in your environment that belong to the above selected Category and Vendor. From the dropdown list, select the end point device on which you want to generate the private key and the CSR.
Tenant	Note: This field is applicable only when Category = ADC. Enter the tenant ID.
*Service name	From the dropdown list, select the cloud service running on the selected cloud Devices.
CSR Location	Note: This field is applicable only when Category = Server.
*Template Name	Note: This field is applicable only when Category = Firewall. Select the required template from the dropdown list. Note: This field will be enabled when the Platform = Panorama while onboading PaloAlto device at Menu > CERT+ > Device Management > Inventory> Firewall > Add. Templates and partitions are used to enroll certificates at the template level. To enroll a certificate at the Panorama level, set the template to None.
Partition	Note: This field is applicable only when Category = Firewall.
*CSR File Name	Enter the name of the file that contains the CSR parameters. Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension. Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as CSR File Location.
*Key File Name	Enter the name of the file that contains the private key details. Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension. Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as Key File Location.
*Certificate File Name	Note: This field is displayed only when Category = Cloud. Enter the certificate file name.
*Key vault	Note: This field is displayed only when Category = Cloud, Vendor = Azure, and Service name = Key Vault (Azure).
*Service	Note: This field is displayed when Category = Server and Vendor = Microsoft Server. This dropdown list is populated based on the Device selected. From the options in the dropdown list, select the service.
*Exchange Server	Note: This field is displayed when Category = Server and Vendor = Microsoft Server. From the dropdown list, select the name of the MS Exchange server for which the certificate is being enrolled.

For the EJBCA certificate authority, enter/select the vendor details.

Table 4. Field descriptions for the **EJBCA** Vendor Specific Details section
Field	Description
* End Entity Profile Name	From the dropdown list, select the end entity profile name.
End entity user name	Enter the name of the end user entity.
* Issuer Common Name	From the dropdown list, select the issuer common name.
*Certificate Profile Name	From the dropdown list, select the certificate profile name.
*: Mandatory fields

Enter/Select the CSR Parameters.

Table 5. Field descriptions for the CSR Parameters section
Field	Description
*Common Name	The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>. No special characters allowed except en dash (_) and hyphen (-).
*Common Name Indicator	Important: See note. This field is displayed when the selected CA Account is DigiCert and Certificate Type is one of the following: Secure Email for Business Digital Signature Premium As part of DigiCert's revised security regulations, the common name for the above listed DigiCert certificate types is derived from the one of the input attributes, as selected from the dropdown list. For the common name indicator, from the dropdown list, select one of the following: First Name and Last Name Pseudonym Email (applicable only for the Secure Email for Business certificate type)
*First Name	This field is displayed when: Common Name Indicator = First Name and Last Name Common Name Indicator = Email and Indicator Type = First Name and Last Name Enter the verified first name of the individual subject. For Common Name Indicator = First Name and Last Name A combination of the first name and last name will be used to derive the certificate's common name, which will be displayed in the certificate's Common Name field or the Subject DN (in the certificate details that can be accessed from the holistic view). For Common Name Indicator = Email and Indicator Type = First Name and Last Name The first and last name will be appended as mandatory additional information to the Subject Alternative Name.
*Last Name	This field is displayed when: Common Name Indicator = First Name and Last Name Common Name Indicator = Email and Indicator Type = First Name and Last Name Enter the verified last name of the individual subject. For Common Name Indicator = First Name and Last Name A combination of the first name and last name will be used to derive the certificate's common name, which will be displayed in the certificate's Common Name field or the Subject DN (in the certificate details that can be accessed from the holistic view). For Common Name Indicator = Email and Indicator Type = First Name and Last Name The first and last name will be appended as mandatory additional information to the Subject Alternative Name.
*Pseudonym	This field is displayed when: Common Name Indicator = Pseudonym Common Name Indicator = Email and Indicator Type = Pseudonym Enter the pseudonym of the individual subject. A pseudonym is a fictitious name assumed for a particular person. For Common Name Indicator = Pseudonym The entered pseudonym will be displayed in the certificate's Common Name field or the Subject DN (in the certificate details that can be accessed from trhe holistic view). For Common Name Indicator = Email and Indicator Type = Pseudonym The pseudonym will be appended as mandatory additional information to the Subject Alternative Name.
*Indicator Type	This field is displayed when Certificate Type = Secure Email for Business and Common Name Indicator = Email. In this case, the issuer's email address, as specified in the CSR parameters, is used to derive the common name. For Common Name Indicator = Email, it is mandatory to include additional information in the form of the first name and last name or the pseudonym, which will be appended to the Subject Alternative Name. From the following options, select the required indicator type to be used as mandatory information along with the email: First Name and Last Name The First Name and Last Name fields are displayed. Pseudonym The Pseudonym field is displayed.
Subject Alternative Name	You can see the count of subject alternative names (SAN) available for a certificate in the CSR parameter section, inventory grid, and CA connector page. Select the subject alternative subject name from the dropdown list. The possible options are, Select all DNS IP Address. Note: Multiple values must be separated by a comma. The cumulative count SANs appears in the certificate property pop-up window from the holistic view.
*Organization	The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
Organization Unit	Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
Locality	The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
State	The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
*Country	Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
Email Address	The email contact details of the person responsible for maintaining the certificate. Enter the valid e-mail address. Except for SwissSign, this field is mandatory or optional based on the value selected for the Email Address mandatory for Client Certificate field in the corresponding CA policy.
*Order Validity	Enter the number in this field and select the entered validity list to be in Days, Months, and Years from the dropdown list. The Order Validity for the following DigiCert S/MIME certificate types cannot exceed 2 years: Secure Email for Business Digital Signature Premium Note: As per revised security regulations for DigiCert S/MIME certificates, the maximum lifespan of the the above listed certificate types is two years.
Challenge Password	Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
Confirm Password	Reenter the same password to confirm that is entered in the Challenge Password field.
*Hash Function	The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
*Key Type	From the dropdown list, select the cryptogrpahic algorithm that will be used for generating the certificate's key pair. The dropdown list is populated based on the CA policy configured for the selected CA.
*Bit Length	From the dropdown list, select the required key size (in bits). The dropdown list is populated based on the CA policy configured for the selected CA.
*ECDSA curve	For Key Type = EC, from the dropdown list, select the elliptic curve that will be used to create the public and private key pairs.
*: Mandatory fields

In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).

Table 6. Field descriptions for the Attachments section
Field	Description
Name	Enter the alternate name for the document to be uploaded.
Comments	Enter the comments in this field. Note: Character limit: 2000 characters
Upload File	Click the Upload button to select the file.

Other than the CSR fields, you can add organization-specific values along with CSR. These values will not be part of the certificate but will be available in the AppViewX inventory. For example, cost center. Inventory can be filtered based on these attributes as well. In the Certificate Attributes can be added under Administration > certificate attributes, it will be reflected on the enrollment page:

Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.

Table 7. Field descriptions for the Generic Fields
Field	Description
Device Name	Enter the name of the device.
Application IP Address	Enter the IP address of the application.
Tracking ID	A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit logentries (typically enrollment and revocation events)
Certificate holder Email	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
First name	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). First name (as a metadata) associated with the certificate to be enrolled
Last name	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Last name (as a metadata) associated with the certificate to be enrolled
Organization	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Organization name (as a metadata) associated with the certificate to be enrolled
Comment	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Additional information (as a metadata) associated with the certificate to be enrolled
UUID	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled

In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters as meta data for their operational purposes. Details common to all CAs will be taken from the AppViewX user information of the logged in user.

Table 8. Field descriptions for the **common** vendor specific details
Field	Description
Certificate ID	The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section). The Certificate ID can be modified by the user. If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID. If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.

Table 9. Field descriptions for the **DigiCert CA** vendor specific details
Field	Description
*Server Type	From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
*Payment Method	From the dropdown list, select one from the following payment methods: Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account. Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance. Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account. Note: Ensure that a credit card is configured as the default payment method for your account.
Additional Email	Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
Renewal Message	Enter a custom message that will be sent with the renewal notifications.
Notes	Enter a custom note that will be sent with the order.
*: Mandatory fields

Table 10. Field descriptions for the **Hydrant ID CA** vendor specific details
Field	Description
Expiry Emails	Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID. Note: HydrantID CA does not accept updates to these email addresses during the renewal process.

Table 11. Field descriptions for the **Nexus CA** vendor specific details
Field	Description
Procedures	The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.

Click Add.
Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
On the holistic view, click the Submit button to trigger the request.
The submit action is triggered and the Submit dialog box is displayed.
Enter your comments in the text field and click Yes.
If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
Click Approve to proceed.
The Approve dialog box is displayed.
Enter your comments in the text field.

Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
Click Yes.
Once the approval process is completed, the Implement option is displayed in the holistic view.
Click Implement.
The Implement dialog box is displayed.
Enter your comments in the text field.
If the workflow request has to be implemented automatically in the future, click Schedule later .
Click Yes.
CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.
If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.
If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.
Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

References

What's Next?

To automate certificate lifecycle management for enrolled certificates:

Enable auto regeneration of certificates.
Enable auto push of certificates to endpoints. To do this, add an application connector to push the certificate to an AWS device and select the Push Automatically checkbox.
Set alerts to be notified of all events and statuses of the certificates.