Generating Certificate Signing Requests With Existing Keys

If you have a key stored on your token, you can generate corresponding certificate signing requests (CSRs) with it.

Note: The actions and options below depend on the token type and may not be available for your specific token.

To generate a CSR using an existing key:

Go to the Certificates view in the left navigation pane.
Click the Generate CSR icon on the slot holding the existing key.
The Generate Key, CSR or Certificate dialog opens, with the Existing key & generate CSR generation action and the key stored in the respective slot pre-selected.

Alternatively, you can click the Generate button in the top-right corner of the Certificates view.

In the Generate dialog, select Existing Key & generate CSR from the Select action drop-down.
Choose Existing Key: Use this drop-down to select other than the pre-selected key to generate the CSR for.
Hash Algorithm: Select the hash algorithm used to create a digital representation (hash) of the data within the CSR. This hash is used to create a digital signature that proves the integrity and authenticity of the CSR.

The available options are:
- SHA1
- SHA256 (default)
- SHA384
- SHA512
  
  We recommend using SHA-256 (default) or higher.
Padding Scheme: If a RSA key type is selected, you can choose the padding A method used to add extra data to a hash before creating a digital signature with an RSA key to ensure that the resulting signature is unique and resistant to certain types of cryptographic attacks. scheme.
- PKCS1 (Public Key Cryptography Standards #1)
- PSS (Probabilistic Signature Scheme): PSS adds randomness to the padding process, making the signature more secure against certain types of cryptographic attacks.
  
  Important: PSS is considered more secure, but PSS-signed certificates may not be supported by older systems.
Subject (Distinguished Name): Add at least one Subject Distinguished Name component for your CSR.
- Common Name is selected as default, but you can delete the value by clicking the Clear icon and select another option from the drop-down list.
- Alternatively, you can type the attribute's long or short name or OID directly into the field.
- Click the Add Value button to include additional attributes of your Subject Distinguished Name in the CSR.
Other x509 v3 Extensions (Advanced): If you need x509 v3 extensions to be added to your CSR:
1. Click the Other x509 v3 Extensions (Advanced) dropdown button.
2. The Subject Alternative Name (SAN) extension section will be displayed.
  
  (If you want to add a custom extension to your CSR, see point 9.)
3. Click the toggle button to enable SAN in your CSR.
4. A checkbox will appear to the left of the toggle button. If checked, the extension will be marked as critical.
5. Click the Add SAN button for additional SAN entries. The number of SANs is not limited.
  
  The available types of SANs are:
  - IP Address
  - DNS Name
  - Email
  - URI (Unique Resource Identifier)
  - UPN (User Principal Name)
  Hover over the information icon to view example entries for each type.
To add custom extensions to your certificate, click the Add Custom Extension button in the Other x509 v3 Extensions (Advanced) field.
- The Custom Extension section appears in the dialog.
- The Name field for the custom extension is for informational purposes only.
- Enter the custom extension object identifier (OID Object identifier. Globally unique identifiers standardized by the International Telecommunication Union. OIDs are represented as a series of numbers separated by dots (e.g., 2.5.29.37).) (e.g., 2.5.29.19).
- Add the extension content in hexadecimal format.
- To mark an extension as critical, check the checkbox to the left of the toggle button.
- To remove an extension, click the trash bin icon .
Click the Generate button.

The generated CSR has been added to the key in the respective slot.