Issue Certificates

Use the Issue Certificate page to generate and download digital certificates for entities such as users, devices, servers, and applications. You can issue classical, Post-Quantum Cryptography (PQC), and composite end-entity and subordinate CA certificates.

Note:

This module is available starting from the Thames HF2 (2024.0.2.0) release for users of AppViewX PKIaaS Native CA for PKI initialization.
For versions prior to Thames FP1 HF3, you must enable the Issue Certificate function. Go to Menu > Platform > Role, search for the administrator role, and select the role link. On the Authorized Functions tab, select the Issue Certificate check box in the PKI module.

After you create a template, you can issue certificates by selecting a Certificate Authority (CA) to sign a digital certificate. The certificate serves as proof of identity and enables secure communication, authentication, and encryption in a PKI-enabled system.

The Issue Certificate page supports two CSR generation modes:

Upload CSR: Upload an existing CSR file. The certificate is issued using the selected issuer CA and template. You can download the issued certificate in PEM (.crt) format.
AppViewX: AppViewX generates the CSR based on the Subject Distinguished Name (DN), algorithm parameters, and SAN values you provide. You can download the issued End Certificate in PKCS#12 (*.pfx) format. For CA Certificate type, you can download the public certificate in PEM (.crt) format.

Note: When you select AppViewX as the CSR generation mode, the available Crypto Model options and algorithm types are determined by the type of CA you select. Unsupported Crypto Models are disabled automatically based on the selected CA.

To issue certificates:

Go to Menu > PKI > Issue Certificate.
The Issue Certificate page appears.

Enter the required information in the following fields.

Table 1. Field Description for Issue Certificate section
Field	Description
*CA Name	Select the issuer CA from the dropdown list. The available Crypto Model options and algorithm types are determined by the CA type (Classical, PQC, or Composite).
Certificate Type	Select End Certificate or CA Certificate. The default is End Certificate.
*Template	Select a certificate template from the dropdown list.
*Validity	Set the certificate validity in years, months, or days.
: Mandatory fields*

Select the CSR generation mode and complete the corresponding fields.


CSR Generation Mode	Steps
Upload CSR	Select Browse and upload a .csr file. Select the Certificate Download Format. The certificate downloads in PEM (.crt) format.
AppViewX	Enter the Subject DN fields: Common Name Organization Organization Unit Locality State Country Email Address Enter the Subject Alternative Name (SAN) values. Supported types: DNS, IP, Email, and URI. Select the Crypto Model and then select the algorithm parameters. See the following steps for details.

Optional: If you selected AppViewX as the CSR generation mode, select the Crypto Model.

Select the cryptographic model that defines the type of algorithms used by this Certificate Authority hierarchy. It determines whether the CA uses traditional algorithms, quantum‑resistant algorithms, or a combination of both.


Crypto Model	Available Algorithm Types
Classical Cryptography	Uses widely adopted algorithms such as RSA and ECC. Suitable for current, non‑quantum‑resistant environments and existing PKI deployments. This option is available for all CA types.
Post‑Quantum Cryptography (PQC)	Uses quantum‑resistant algorithms designed to protect against future quantum computing threats. Recommended for long‑term security and crypto‑agile deployments. This option is available only when the selected CA is PQC or Composite.
Composite Cryptography (Hybrid Classical + PQC)	Combines classical and post‑quantum algorithms in a single certificate to ensure backward compatibility while enabling quantum resistance. Both Classical and PQC key types are displayed in separate fields. This option is available only when the selected CA is Composite.

Important: Crypto Model options that the selected CA does not support are automatically disabled. For example, if you select a classical CA, the PQC and Composite options are disabled.

Optional: If you selected AppViewX as the CSR generation mode, select the algorithm parameters.


Field	Description
Classical Key Type	Displayed for Classical and Composite Crypto Models. Select the classical algorithm, for example, RSA or ECDSA.
PQC Key Type	Displayed for PQC and Composite Crypto Models. Select the PQC algorithm, for example, ML-DSA-44, ML-DSA-65, or ML-DSA-87.
Bit Length	Select the key size in bits, for example, 2048, 3072, or 4096 for RSA.
Hash Function	Select the hash algorithm, for example, SHA-256 or SHA-512.
Padding	Displayed only when Classical Key Type is set to RSA or DSA. Select PSS or PKCS#1 v1.5.
*Certificate Download Format	Select the format in which to download the issued certificate. The available format is PKCS#12 (*.pfx) for End Certificate type.
*Password	Enter a password to protect the PKCS#12 file. This field is required when the Certificate Download Format is set to PKCS#12 (*.pfx).

Select Issue Certificate.
The certificate is issued with the specified parameters. Depending on the CSR generation mode and certificate type, the following download options are available:
- For Upload CSR mode: Download the certificate in PEM (.crt) format.
- For AppViewX mode with End Certificate type: Download the certificate in PKCS#12 (*.pfx) format.
- For AppViewX mode with CA Certificate type: Download the public certificate in PEM (.crt) format. The CA Certificate appears in the Holistic View Inventory with the complete certificate chain.

The certificate is issued successfully. For composite CA Certificates, you can verify the Signature Algorithm, Hash Algorithm, Public Key, and Thumbprint in the Holistic View Inventory.

Note: Composite End Certificates are not added to the certificate inventory in this release. Composite CA Certificates issued through the Issue Certificate page appear in the Holistic View Inventory and display the complete certificate chain.