Code Signing Certificate Enrollment

Code Signing certificate enrollment refers to the process of creating a digital ID for a code or document. It starts with the generation of a key pair (private and public key) and CSR and then submitting the CSR to the desired CA to procure a certificate. SIGN+ supports the generation of key pairs on the device, HSM, and AppViewX. You can also upload the CSR when enrolling for a digital certificate.
Note: These certificates cannot be hosted on servers.

Prerequisites

  • Users should have read and write access to the account.
  • The user should have configured the CA account in AppViewX.
  • Policy creation and certificate profile are created according to the customer’s use case.
  • Purpose and usage are mapped according to the extended key usage and validation policy.

Enrollment

The following steps explain how to enroll a code signing certificate:
  1. Go to (Menu) > SIGN+.
  2. Under the CERTIFICATE ACTIONS, select Enroll Certificate > Code Signing Certificate.

    The Enroll Code Signing Certificate page is displayed.

  3. In the General Information section, from the dropdown list, select the required Assign Group.
  4. Enter the following fields in the CA Details section:
    Table 1. Field descriptions for the CA Details section
    Fields Description
    *Certificate Authority

    Select the desired certificate authority from the dropdown lists. Based on the selected CA, other CA details are configured. The possible CAs are:

    • Digicert MPKI
    • GlobalSign SSL
    • GlobalSign MSSL
    • Microsoft Enterprise
    • Microsoft Standalone
    • Nexus
    • OpenTrust
    • Any Other Programmable CA configured by the user
    *Renew Automatically Select the toggle button to On or Off.
    • When the toggle is enabled, the Start Renewing option will be enabled.
    • Enter the number of days to renew the certificate automatically.
    Note: Changing the group inherited renew period overwrites the renewal period for this certificate.
    *CA Account To which account the enrollment request to be submitted.
    Certificate Type Select the desired certificate type from the dropdown list.
    *Division Select the division to which the certificate must be enrolled.
    Note: This field will be shown only for Digicert CA.
    Certificate Profile Select the Profile to which the Certificate must enroll.
    Note: This field is applicable only for AppViewX CA and Google CA.
    *Issuer Location Select the location of the issuer CA from the dropdown list.
    Note: This is applicable only for Google CA.
    *Issuer Name Select the name of the issuer CA from the dropdown list.
    Note: This is applicable only for Google CA.
    *Connector Name Enter the friendly name for Certificate Authority connector in this field which will be displayed in the holistic view on saving this form.
    Description Enter the description in this field.
    Note: You can enter a maximum of 2000 words in the field.
    *CSR Generation Select the CSR generation option as required.

    Options are:

    • AppViewX CSR Generation.
    • UploadCSR - Uploaded CSR will be taken as a source to populate CSR parameters and submit to CA.
      • Click the Browse button, and then the file.
      • Click the Upload button to upload the selected file.
      • On uploading CSR successfully, CSR parameters are automatically filled in the CSR section.
    • HSM - Private key and CSR will be created in the selected HSM device based on CSR parameters given.
    Fields Description
    *Device Type Select the type of device as required. The possible options are:
    • HSM Devices
    • ADC Devices
    *Vendors Select the desired vendors from the dropdown list. The possible vendors when device selected as HSM Devices:
    • Fortanix
    • PKCS11

    The possible vendors when device selected as ADC Devices:

    • Safenet
    • Thales
    • Fortanix
    *Devices Select the desired device from the dropdown list.
    Note:
    • By default, the None Selected option is enabled.

    • When Device Type = ADC - User chooses from the list based on the vendors field selection.

    *Key Handler Name Enter the desired handler name in the field.
    *Key Reference Name Enter the Key Reference Name.
    Note: This field appears only when Device Type = ADC Devices.
    • End Point - Private key and CSR will be created in the selected End Point device based on CSR parameters given.
    Fields Description
    Category Select the desired category from the dropdown list. The possible options are:
    • ADC
    • Server
    • Firewall
    Vendor Select the desired vendor from the dropdown list. The possible options are:
    • AVI
    • Citrix
    • F5
    • Ngnix Plus
    • HAProxy
    Note: Vendor list is populated based on the category, select the desired vendor from the dropdown list.
    *Devices Select the desired device from the dropdown list.
    Note: By default, the None option is selected.
    Tenant Enter the tenant ID in this field.
    Note: This field appears when you select category as ADC.
    *CSR file name Enter the name of the CSR file in this field.
    Note: This field appears when you select category as Server.
    *Partition Enter the partition in this field.
    Note: This field appears when you select category as Firewall.
    *Key File Name Enter the name of the key file in this field.
    Note: For all CA types except Amazon, you have the option to generate the CSR.
    • AppViewX - Private key and CSR will be created in AppViewX based on CSR parameters given.
    *: Mandatory fields

    While enrolling certificates with policies using Google CA, the following points must be considered:

    • Certificate Enrollment - Strict Policy
      • The Common Name will not be pre-filled from the policy.
      • The following validation appears based on strict policy guidelines.
        • If the Common Name’s domain name is not present in the Allowed Domain Name list, an error validation will be shown upon saving the policy details.
    • Certificate Enrollment - Suggestive Policy
      • The Common Name will not be pre-filled from the policy
      • The following validation will be seen based on strict policy guidelines.
        • If the Common Name’s domain name is not present in the Allowed Domain Name list, the non-compliant policy will be created.
        • If the Common Name’s domain name is present in the Blocked Domain Name list, an error validation will be shown upon saving the policy details.
  5. Only for the EJBCA CA, enter the Vendor Specific Details.
    Table 2. Field descriptions for the Vendor Specific Details section.
    Fields Description
    End entity user name Enter the name of the end entity.
    * End Entity Profile Name Select the profile name from the dropdown list .
    * User Common Name

    Select the common name from the dropdown list.
    * Certificate Profile Name Select the certificate profile name from the dropdown list.
    *: Mandatory fields
  6. Enter the following fields in the CSR Parameters.
    Fields Description
    *Common Name The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>.

    No special characters allowed except en dash (_) and hyphen (-).
    Subject Alternative Name You can see the count of subject alternative names (SAN) available for a certificate in the CSR parameter section, inventory grid, and CA connector page.

    Select the subject alternative subject name from the dropdown list.

    The possible options are,

    • Select all
    • DNS
    • IP Address.
    Note:
    • Multiple values must be separated by a comma.
    • The cumulative count SANs appears in the certificate property pop-up window from the holistic view.
    *Organization The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Organization Unit Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Locality The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    State The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *Country Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
    Email Address The email contact details of the person responsible for maintaining the certificate. Enter the valid e-mail address.
    *Validity Enter the number in this field and select the entered validity list to be in Days, Months, and Years from the dropdown list.
    Challenge Password Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
    Confirm Password Re-enter the same password to confirm that is entered in the Challenge Password field.
    *Hash Function The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field is auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
    *Key Type The key type is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy. The supported key types are RSA, ECC and DSA.
    *Bit Length The bit length is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *: Mandatory fields
  7. In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).
    Table 3. Field descriptions for the Attachments section
    Fields Description
    Name Enter the alternate name for the document to be uploaded.
    Comments Enter the comments in this field.
    Note: You can enter a maximum of 2000 words in the field.
    Upload File Click the Upload button to select the file.
  8. Other than the CSR fields, you can add organization-specific values along with CSR. These values will not be part of the certificate but will be available in the AppViewX inventory. For example, cost center. Inventory can be filtered based on these attributes as well. In the Certificate Attributes can be added under Administration > certificate attributes, it will be reflected on the enrollment page:
  9. Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.
    Table 4. Field descriptions for the Generic Fields
    Fields Description
    Device Name Enter the name of the device.
    Application IP Address Enter the IP address of the application.
  10. In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters for their operational purposes.
    • By default, the Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section).
    • The Certificate ID can be modified by the user.
    • If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID.
    • If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.
  11. Click Add.

    Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.

  12. On the holistic view, click the Submit button to trigger the request.

    The submit action is triggered and the Submit dialog box is displayed.

  13. Enter your comments in the text field and click Yes.

    If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.

  14. Click Approve to proceed.

    The Approve dialog box is displayed.

  15. Enter your comments in the text field.
    Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
  16. Click Yes.

    Once the approval process is completed, the Implement option is displayed in the holistic view.

  17. On the certificate holistic view, click Implement to proceed.
  18. In the Implement dialog box, enter your comments.

    If the workflow request has to be implemented automatically in the future, click Schedule later. You can then select the Implementation Time from the calendar field.

  19. Click Yes.

    CSR Submission to CA is in Progress.

  20. Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.

    If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.

    If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.

    Once the certificate is issued successfully, the certificate will be retrieved into AppViewX.
What to do next:
  • Configure the signing policy with relevant details, ensuring mapping to the enrolled certificate (also identified as the signing key on the signing policy page).
  • The file types selected during policy creation are the only ones permitted for upload. Supported file types include: PS1, EXE, CAT, MSI, JS, JAR, APK, VBS, CAB, WSF, DLL, PSM1, PSD1, PS1XML, JSE, and VBE.