Adding enrollment forms

Add an enrollment form

  1. Navigate to Enrollment  Enrollment Forms.

  2. Click the Add icon.

  3. In the Create Enrollment Endpoint dialog, provide a name to help identify the endpoint.

  4. Select the type of certificate to be issued through the endpoint.

  5. Click Next.

  6. On the Details tab, enter or generate a URI extension that will be used to access the enrollment form.

  7. Complete the Configuration tab based on the information provided in the following table.

    Field Description

    Authentication Types

    The authentication types that can be used to access the enrollment form.

    The possible types are:

    • Email Confirmation — The enrollment form can be accessed using an email confirmation.

      For client certificate enrollment, the provided email must be from a domain delegated to the organization or department.

    • Identity Provider — The enrollment form can be accessed using your configured identity provider.

      IDP authentication is required in order to see or use enrollment form accounts that are configured with the IdP assertion mapping authorization method.

    • Secret ID — The enrollment form can be accessed using the email and secret ID of a Person in SCM who is associated with the account’s organization or department.

    Help Instructions

    Instructions that will be displayed to users when they access the enrollment form.

    URL Link Text

    Clickable text to be displayed in the enrollment form that, when clicked, redirects users to the URL provided in the URL Address field.

    URL Address

    The URL for an external source for additional instructions.

  8. Click Save.

Add an account to an enrollment form

  1. Navigate to Enrollment  Enrollment Forms.

  2. Select the enrollment form to which you want to add an account, and click Accounts.

  3. In the Web Form Accounts dialog, click the Add icon.

  4. Complete the Create Web Form Account dialog based on the information provided in the following table.

    Field Description

    Name

    The name of the account.

    Organization

    The organization to which the account belongs.

    Users enrolling client certificates using this account must have an email from a domain delegated to this organization.

    The organization cannot be changed once the account is created.

    Department

    The department to which the account belongs.

    Users enrolling client certificates using this account must have an email from a domain delegated to this department.

    The department cannot be changed once the account is created.

    Profiles

    The certificate profiles available when enrolling certificates through this account.

    CSR generation method

    The method used to generate the certificate signing request (CSR) for certificates requested through this account.

    • Browser — The CSR and private key are generated directly in the browser. The private key remains secure as it is not stored in SCM or visible to Sectigo. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key can be downloaded in .p12 format.

    • Server — The CSR and private key are generated in SCM. Because Sectigo has visibility of the private key, this method only supports the issuance of Client, Device, and Code-Signing certificates. When used to request Client certificates, the private key is eligible for storage in Sectigo Key Vault. The issued certificate and private key can be downloaded in .p12 format.

    • Provided by user — The CSR is created and provided by the requestor. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key are not available in .p12 format.

    • Sectigo Security App — The CSR and private key are generated using the Sectigo Security application installed on the requestor’s machine. This method supports the issuance of SSL, Client, and Device certificates. The issued certificate is directly transferred to the Sectigo Security App for installation.

    Automatically approve certificate requests

    When selected, certificate requests are automatically approved without needing administrator approval in SCM. This overrides any approval requirements configured in the certificate profile.

    Allow Auto Renew SSL Certificates

    When selected, SSL certificates are eligible for automatic renewal configuration during enrollment.

    Allow Empty PKCS12 Password for Compatible TripleDES-SHA1

    When selected, users can leave the password field empty when requesting the certificate. Setting a password is recommended as not all applications support non-password protected certificates.

    Preferred key protection algorithm

    The default key protection algorithm selected in the enrollment form for certificates requested through this account. Users can still select a different algorithm when requesting the certificate.

    • No preference — No preference is set for the key protection algorithm.

    • Secure AES256-SHA256 — The key protection algorithm is set to AES256-SHA256 by default.

    • Compatible TripleDES-SHA1 — The key protection algorithm is set to TripleDES-SHA1 by default.

    Authorization method

    The method used to authorize user access to the account.

    The options are:

    • None — The account is accessible to any user that can authenticate to the enrollment endpoint.

    • Access Code — When Access Code is selected as the authorization method, you provide an access code for the account. Following authentication to the enrollment form, users can enter this access code to access the account.

    • IDP assertions mapping — When ID assertions mapping is selected as the authorization method, you can click Edit to map IDP assertions authorize users to access the account automatically when authenticating through their IDP.

      The following IDP assertions are available for mapping:

      • cn — The user’s full name or common name.

      • displayname — A human-readable display name for the user.

      • entitlement — Information about the user’s access rights or permissions.

      • eppn — A unique identifier for individuals within education and research institutions, often resembling an email address.

      • givenname — The user’s first name.

      • groups — Information about the user’s group memberships or affiliations.

      • mail — The user’s email address.

      • schachomeorganization — The user’s organization identifier.

      • sn — The user’s last name or surname.

      • uid — A unique identifier for the user within an organization or system.

  5. Click Save.