Skip to main content
banner image
venafi logo

Certificate Enrollment: What You Should Know [Expert Insights]

Certificate Enrollment: What You Should Know [Expert Insights]

certificate enrollment
May 16, 2018 | David Bisson

Certificate enrollment refers to the process by which a user requests a digital certificate. They must submit the request with a certification authority (CA), an entity which issues and manages digital certificate for use within the public key infrastructure (PKI). Users can request a digital certificate from a CA manually or automatically without any interaction on their part.

A certificate enrollment procedure begins when a user files a certificate enrollment request with a CA. The request should contain sufficient information to enable the CA to verify the identity of the user requesting the certificate. These pieces of data generally include the user's domain name, a business telephone number that is obtainable via public sources, and the details for three contacts:

  1. An authorization contact, or someone who is authorized to request certificates for your organization
  2. A technical contact, or someone who receives an approved certificate and who will coordinate its renewals/updates
  3. A billing contact who can manage purchases of certificates.

The CA may also request additional information based upon the type of certificate requested.

Besides submitting relevant information for verification purposes, a user must submit other details. For instance, the PKCS#10: Certification Request Syntax Specification, one of the most common formats for certificate enrollment submissions, requires users to send over their public key for the CA's signature, the digital signature, and the hashing algorithm used to create the digital signature. The user is usually not responsible for creating the public key themselves. As reported by Tech-FAQ, they send their certificate request to a Cryptographic Service Provider (CSP) installed on their computer. The CSP, in turn, creates the public and private key pair for the request, adds the public key to the request information, and passes it on to the CA.

After receiving the enrollment request, the CA decrypts the digital signature using the public key, calculates a hash, and uses that product to verify the hash in the decrypted signature. It also uses all of the verification information provided by the user for validation purposes. For instance, it verifies that the requesting company is in good standing by confirming active registration in corporate registries and reaches out to the contact listed in the requester website's whois record to confirm the company's domain. If validation is successful, the CA digitally signs the public key, adds it to an X.509 certificate, and sends the completed certificate to the user.

At that point, the user should verify the certificate, install it on their server, and make sure they make a note of its location so that relevant software like Apache can find it in the future. They should also consider copying the file received from Certification and storing a certificate's relevant keys in a secure location. Only then should they publicize copies of their certificate so that digital entities like web sites and browsers can authenticate it.

To maintain that authentication, users who purchase a certificate need to make sure they know all locations where certificates are installed and used by applications after enrollment. They then need to amass that information and use it to manage all certificate purchases and renewals.

That's where Venafi comes in. Our platform for machine identity protection features an enrollment portal that helps users configure multiple CAs. This allows organizations to more quickly request and renew certificates. But more importantly, the Venafi Platform allows organizations to verify that the certificate is installed correctly and will work as intended. The solution also features the ability to centrally generate key pairs and CSRs for users requesting certificates, and it enables dual controls for installation and enrollment.

Streamline your certificate enrollment process today.

Learn more about machine identity protection. Explore now.

Related blogs

Like this blog? We think you will love this.
image of hands typing on a keyboard in the dark
Featured Blog

The Abuse of Root Certificates, Certificate Mis-issuance and Certificate Transparency

First, a bit about root certificates.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more