Skip to main content

CSR Signing

This guide explains step-by-step how to sign CSR (Certificate Signing Request) through SecTrail CM. You can sign CSRs with local CA or external CA integrations.

About the Feature

The CSR signing feature allows you to obtain certificates without sharing the private key. You can perform the signing process by uploading a CSR created in your own application to SecTrail CM or by creating a CSR through SecTrail CM.

CSR Signing Scenarios​

SecTrail CM supports two different CSR signing scenarios:

Used when you don't want to share the private key:

  1. Create CSR on your own server/application (private key stays on your server)
  2. Import CSR to SecTrail CM
  3. Sign CSR through SecTrail CM
  4. Download signed certificate and install on your server
Security Advantage

With this method, the private key is never shared and only stays on your own server. It is the most secure method.

2. Creating CSR on SecTrail CM​

Used for centralized management:

  1. Create CSR through SecTrail CM
  2. Sign the created CSR immediately
  3. Download certificate and private key together

CSR Signing Screen​

There is a special interface in SecTrail CM for CSR signing operations.

Access Path

To sign CSR: Go to Inventory β†’ Sign CSR menu.

Sign CSR

CSR Signing Form

CSR Signing Parameters​

Basic Information​

FieldDescriptionExample
CSRCSR selection to be signedSelect existing CSR from dropdown
CA TypeSigning typeLocal CA, External CA
External CAExternal CA selection (if CA Type: External CA)ADCS, GlobalSign, DigiCert, Hashicorp Vault
Domain NameCertificate domain name (optional)Descriptive name
PasswordCertificate private key passwordStrong password
CSR Selection

All CSRs in SecTrail CM inventory are listed in the CSR dropdown. Format: [Organization] - [Identifier] (e.g., bntpro.com - ST-5cc54e0593)

CA Type Options​

1. Local CA (Local CA)​

Signing CSR with your existing CAs in SecTrail CM:

Usage Scenarios:

  • For internal/corporate certificates
  • For test and development environments
  • For certificates managed with your own PKI infrastructure

Advantages:

  • Fast signing
  • Full control
  • No additional cost
  • Can work offline

2. External CA (External CA)​

Signing with integrated CAs like ADCS, GlobalSign, DigiCert, Hashicorp Vault:

Usage Scenarios:

  • For public certificates
  • For certificates requiring browser trust
  • For compliance requirements
  • For enterprise CA integrations

Supported External CAs:

CA ProviderDescriptionUsage
ADCSMicrosoft Active Directory Certificate ServicesWindows environments, enterprise PKI
GlobalSignGlobalSign HVCA (Managed PKI)Enterprise, high-volume certificate management
DigiCertDigiCert CertCentral APIPublic SSL/TLS certificates
Hashicorp VaultVault PKI Secrets EngineCloud-native, dynamic certificate management
Prerequisite: CA Integration

You must configure the relevant CA integration before using External CA.

For detailed setup instructions, review the Integrations page.

CSR Signing Steps​

Method 1: External CSR Signing (Private Key Not Shared)​

This method is used to obtain certificates without sharing the private key.

Step 1: Creating CSR on Your Own Server​

First create CSR and private key on your own server/application:

Creating CSR with Windows/IIS:

  1. IIS Manager β†’ Server Certificates
  2. Create Certificate Request
  3. Fill in Distinguished Name information
  4. Cryptographic Service Provider: Microsoft RSA SChannel, 2048 bit
  5. Save CSR file

Step 2: Importing CSR to SecTrail CM​

  1. Go to Inventory β†’ Import Certificate menu
  2. Select CSR as Certificate Type
  3. Upload your CSR file or paste its content
  4. Click Import button

After CSR is successfully imported, it is added to inventory and assigned an identifier (e.g., ST-5cc54e0593).

Step 3: Signing CSR​

  1. Go to Inventory β†’ Sign CSR menu
  2. CSR Selection:
    • Select the CSR you imported from dropdown
    • Format: [Organization] - [Identifier]
  3. CA Type Selection:
    • Local CA: Signing with CA in SecTrail CM
    • External CA: Signing with External CA
  4. External CA Selection (if External CA is selected):
    • ADCS, GlobalSign, DigiCert, or Hashicorp Vault
  5. Domain Name (Optional):
    • Enter a descriptive name (e.g., bntpro.local - copy of sectrail webserver)
  6. Password:
    • Set a strong password for the certificate
    • You can generate an automatic password with the Generate button
  7. Click Sign button

Step 4: Downloading Signed Certificate​

After signing is completed, the Show Key screen opens:

Show Key

Signed Certificate and Download Options

Download Buttons:

  • Download Zip - All files (cert, chain, bundle)
  • Download Jks - Java KeyStore format
  • Download Crt - Certificate file only
  • Download Chain - CA chain
  • Download Bundle - Complete certificate chain
  • Download Key - Private key (only for CSRs created in SecTrail CM)
Important

The Download Key button does not work for external CSRs because the private key is not in SecTrail CM but on your own server. This is a security feature.

Method 2: Creating CSR on SecTrail CM​

This method is suitable for centralized management but the private key is also created in SecTrail CM.

Step 1: Creating CSR​

  1. Go to Inventory β†’ Create Certificate menu
  2. Select CSR as Certificate Type
  3. Fill in certificate information:
    • Common Name, Organization, Country, etc.
  4. Key Length: 2048 or 4096 bit
  5. Set Pfx Password
  6. Click Submit button

CSR and private key are created and added to inventory.

Step 2: Signing CSR​

Follow the steps in Step 3: Signing CSR section above.

Step 3: Downloading Certificate and Private Key​

In this scenario, since the private key is also in SecTrail CM, the Download Key button works and you can download all files.

Domain Name Field​

The Domain Name field is optional and used for identification purposes:

Example: bntpro.local - copy of sectrail webserver

This field:

  • Helps identify the certificate in inventory
  • Used to distinguish multiple similar certificates
  • Appears in reports and logs

Password Generation​

For the Password field:

  1. Manual Input: Write your own password
  2. Automatic Generation: Click GENERATE button
    • Creates strong, random password
    • Minimum 16 characters
    • Contains uppercase/lowercase letters, numbers, and special characters
  3. View: You can view the password with the eye icon
Password Security

Store the password in a secure password manager and use different passwords for each certificate.