Adding enrollment forms

Add an enrollment form

Navigate to Enrollment Enrollment Forms.
Click the Add icon.
In the Create Enrollment Endpoint dialog, provide a name to help identify the endpoint.
Select the type of certificate to be issued through the endpoint.
Click Next.
On the Details tab, enter or generate a URI extension that will be used to access the enrollment form.

Complete the Configuration tab based on the information provided in the following table.

Field	Description
Authentication Types	The authentication types that can be used to access the enrollment form. The possible types are: Email Confirmation — The enrollment form can be accessed using an email confirmation. For client certificate enrollment, the provided email must be from a domain delegated to the organization or department. Identity Provider — The enrollment form can be accessed using your configured identity provider. IDP authentication is required in order to see or use enrollment form accounts that are configured with the IdP assertion mapping authorization method. Secret ID — The enrollment form can be accessed using the email and secret ID of a Person in SCM who is associated with the account’s organization or department.
Help Instructions	Instructions that will be displayed to users when they access the enrollment form.
URL Link Text	Clickable text to be displayed in the enrollment form that, when clicked, redirects users to the URL provided in the URL Address field.
URL Address	The URL for an external source for additional instructions.

Field

Description

Authentication Types

The authentication types that can be used to access the enrollment form.

The possible types are:

Email Confirmation — The enrollment form can be accessed using an email confirmation.

For client certificate enrollment, the provided email must be from a domain delegated to the organization or department.
Identity Provider — The enrollment form can be accessed using your configured identity provider.

IDP authentication is required in order to see or use enrollment form accounts that are configured with the IdP assertion mapping authorization method.
Secret ID — The enrollment form can be accessed using the email and secret ID of a Person in SCM who is associated with the account’s organization or department.

Help Instructions

Instructions that will be displayed to users when they access the enrollment form.

URL Link Text

Clickable text to be displayed in the enrollment form that, when clicked, redirects users to the URL provided in the URL Address field.

URL Address

The URL for an external source for additional instructions.

Click Save.

Add an account to an enrollment form

Navigate to Enrollment Enrollment Forms.
Select the enrollment form to which you want to add an account, and click Accounts.
In the Web Form Accounts dialog, click the Add icon.

Complete the Create Web Form Account dialog based on the information provided in the following table.

Field Description

Field	Description
Name	The name of the account.
Organization	The organization to which the account belongs. Users enrolling client certificates using this account must have an email from a domain delegated to this organization. The organization cannot be changed once the account is created.
Department	The department to which the account belongs. Users enrolling client certificates using this account must have an email from a domain delegated to this department. The department cannot be changed once the account is created.
Profiles	The certificate profiles available when enrolling certificates through this account.
CSR generation method	The method used to generate the certificate signing request (CSR) for certificates requested through this account. Browser — The CSR and private key are generated directly in the browser. The private key remains secure as it is not stored in SCM or visible to Sectigo. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key can be downloaded in `.p12` format. Server — The CSR and private key are generated in SCM. Because Sectigo has visibility of the private key, this method only supports the issuance of Client, Device, and Code-Signing certificates. When used to request Client certificates, the private key is eligible for storage in Sectigo Key Vault. The issued certificate and private key can be downloaded in `.p12` format. Provided by user — The CSR is created and provided by the requestor. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key are not available in `.p12` format. Sectigo Security App — The CSR and private key are generated using the Sectigo Security application installed on the requestor’s machine. This method supports the issuance of SSL, Client, and Device certificates. The issued certificate is directly transferred to the Sectigo Security App for installation.
Automatically approve certificate requests	When selected, certificate requests are automatically approved without needing administrator approval in SCM. This overrides any approval requirements configured in the certificate profile.
Allow Auto Renew SSL Certificates	When selected, SSL certificates are eligible for automatic renewal configuration during enrollment.
Allow Empty PKCS12 Password for Compatible TripleDES-SHA1	When selected, users can leave the password field empty when requesting the certificate. Setting a password is recommended as not all applications support non-password protected certificates.
Preferred key protection algorithm	The default key protection algorithm selected in the enrollment form for certificates requested through this account. Users can still select a different algorithm when requesting the certificate. No preference — No preference is set for the key protection algorithm. Secure AES256-SHA256 — The key protection algorithm is set to AES256-SHA256 by default. Compatible TripleDES-SHA1 — The key protection algorithm is set to TripleDES-SHA1 by default.
Authorization method	The method used to authorize user access to the account. The options are: None — The account is accessible to any user that can authenticate to the enrollment endpoint. Access Code — When Access Code is selected as the authorization method, you provide an access code for the account. Following authentication to the enrollment form, users can enter this access code to access the account. IDP assertions mapping — When ID assertions mapping is selected as the authorization method, you can click Edit to map IDP assertions authorize users to access the account automatically when authenticating through their IDP. The following IDP assertions are available for mapping: cn — The user’s full name or common name. displayname — A human-readable display name for the user. entitlement — Information about the user’s access rights or permissions. eppn — A unique identifier for individuals within education and research institutions, often resembling an email address. givenname — The user’s first name. groups — Information about the user’s group memberships or affiliations. mail — The user’s email address. schachomeorganization — The user’s organization identifier. sn — The user’s last name or surname. uid — A unique identifier for the user within an organization or system.

Name

The name of the account.

Organization

The organization to which the account belongs.

Users enrolling client certificates using this account must have an email from a domain delegated to this organization.

The organization cannot be changed once the account is created.

Department

The department to which the account belongs.

Users enrolling client certificates using this account must have an email from a domain delegated to this department.

The department cannot be changed once the account is created.

Profiles

The certificate profiles available when enrolling certificates through this account.

CSR generation method

The method used to generate the certificate signing request (CSR) for certificates requested through this account.

Browser — The CSR and private key are generated directly in the browser. The private key remains secure as it is not stored in SCM or visible to Sectigo. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key can be downloaded in .p12 format.
Server — The CSR and private key are generated in SCM. Because Sectigo has visibility of the private key, this method only supports the issuance of Client, Device, and Code-Signing certificates. When used to request Client certificates, the private key is eligible for storage in Sectigo Key Vault. The issued certificate and private key can be downloaded in .p12 format.
Provided by user — The CSR is created and provided by the requestor. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key are not available in .p12 format.
Sectigo Security App — The CSR and private key are generated using the Sectigo Security application installed on the requestor’s machine. This method supports the issuance of SSL, Client, and Device certificates. The issued certificate is directly transferred to the Sectigo Security App for installation.

Automatically approve certificate requests

When selected, certificate requests are automatically approved without needing administrator approval in SCM. This overrides any approval requirements configured in the certificate profile.

Allow Auto Renew SSL Certificates

When selected, SSL certificates are eligible for automatic renewal configuration during enrollment.

Allow Empty PKCS12 Password for Compatible TripleDES-SHA1

When selected, users can leave the password field empty when requesting the certificate. Setting a password is recommended as not all applications support non-password protected certificates.

Preferred key protection algorithm

The default key protection algorithm selected in the enrollment form for certificates requested through this account. Users can still select a different algorithm when requesting the certificate.

No preference — No preference is set for the key protection algorithm.
Secure AES256-SHA256 — The key protection algorithm is set to AES256-SHA256 by default.
Compatible TripleDES-SHA1 — The key protection algorithm is set to TripleDES-SHA1 by default.

Authorization method

The method used to authorize user access to the account.

The options are:

None — The account is accessible to any user that can authenticate to the enrollment endpoint.
Access Code — When Access Code is selected as the authorization method, you provide an access code for the account. Following authentication to the enrollment form, users can enter this access code to access the account.
IDP assertions mapping — When ID assertions mapping is selected as the authorization method, you can click Edit to map IDP assertions authorize users to access the account automatically when authenticating through their IDP.

The following IDP assertions are available for mapping:
- cn — The user’s full name or common name.
- displayname — A human-readable display name for the user.
- entitlement — Information about the user’s access rights or permissions.
- eppn — A unique identifier for individuals within education and research institutions, often resembling an email address.
- givenname — The user’s first name.
- groups — Information about the user’s group memberships or affiliations.
- mail — The user’s email address.
- schachomeorganization — The user’s organization identifier.
- sn — The user’s last name or surname.
- uid — A unique identifier for the user within an organization or system.

Click Save.