Managing enrollment forms

Edit an enrollment form

Navigate to Enrollment Enrollment Forms.
Select the enrollment form you want to edit, and click Edit.
Update the enrollment form name.
1. Click the Edit icon in the top right of the Edit Enrollment Endpoint dialog.
2. Update the enrollment form name as required.
3. Click Next.

Update the Configuration tab based on the information provided in the following table.

Field	Description
Authentication Types	The authentication types that can be used to access the enrollment form. The possible types are: Email Confirmation — The enrollment form can be accessed using an email confirmation. For client certificate enrollment, the provided email must be from a domain delegated to the organization or department. Identity Provider — The enrollment form can be accessed using your configured identity provider. IDP authentication is required in order to see or use enrollment form accounts that are configured with the IdP assertion mapping authorization method. Secret ID — The enrollment form can be accessed using the email and secret ID of a Person in SCM who is associated with the account’s organization or department.
Help Instructions	Instructions that will be displayed to users when they access the enrollment form.
URL Link Text	Clickable text to be displayed in the enrollment form that, when clicked, redirects users to the URL provided in the URL Address field.
URL Address	The URL for an external source for additional instructions.

Field

Description

Authentication Types

The authentication types that can be used to access the enrollment form.

The possible types are:

Email Confirmation — The enrollment form can be accessed using an email confirmation.

For client certificate enrollment, the provided email must be from a domain delegated to the organization or department.
Identity Provider — The enrollment form can be accessed using your configured identity provider.

IDP authentication is required in order to see or use enrollment form accounts that are configured with the IdP assertion mapping authorization method.
Secret ID — The enrollment form can be accessed using the email and secret ID of a Person in SCM who is associated with the account’s organization or department.

Help Instructions

Instructions that will be displayed to users when they access the enrollment form.

URL Link Text

Clickable text to be displayed in the enrollment form that, when clicked, redirects users to the URL provided in the URL Address field.

URL Address

The URL for an external source for additional instructions.

Click Save.

Delegate an enrollment form

Navigate to Enrollment Enrollment Forms.
Select the enrollment form you want to delegate, and click Delegate.

Specify the Delegation Mode based on the information in the following table.

Field	Description
General	When selected, the enrollment form is available for all organizations and departments.
Customized	When selected, the enrollment form is available for only the selected organizations and departments.

Field

Description

General

When selected, the enrollment form is available for all organizations and departments.

Customized

When selected, the enrollment form is available for only the selected organizations and departments.

Click Save.

Delete an enrollment form

Navigate to Enrollment Enrollment Forms.
Select the enrollment form you want to delete, and click the Delete icon.
Click Delete.

Managing enrollment form accounts

Edit an enrollment form account

Navigate to Enrollment Enrollment Forms.
Select the enrollment form with the account you want to edit, and click Accounts.
Select the account you want to edit, and click Edit.

Update the Edit Enrollment Form Account dialog based on the information provided in the following table.

Field Description

Field	Description
Name	The name of the account.
Profiles	The certificate profiles available when enrolling certificates through this account.
CSR generation method	The method used to generate the certificate signing request (CSR) for certificates requested through this account. Browser — The CSR and private key are generated directly in the browser. The private key remains secure as it is not stored in SCM or visible to Sectigo. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key can be downloaded in `.p12` format. Server — The CSR and private key are generated in SCM. Because Sectigo has visibility of the private key, this method only supports the issuance of Client, Device, and Code-Signing certificates. When used to request Client certificates, the private key is eligible for storage in Sectigo Key Vault. The issued certificate and private key can be downloaded in `.p12` format. Provided by user — The CSR is created and provided by the requestor. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key are not available in `.p12` format. Sectigo Security App — The CSR and private key are generated using the Sectigo Security application installed on the requestor’s machine. This method supports the issuance of SSL, Client, and Device certificates. The issued certificate is directly transferred to the Sectigo Security App for installation.
Automatically approve certificate requests	When selected, certificate requests are automatically approved without needing administrator approval in SCM. This overrides any approval requirements configured in the certificate profile.
Allow Auto Renew SSL Certificates	When selected, SSL certificates are eligible for automatic renewal configuration during enrollment.
Allow Empty PKCS12 Password for Compatible TripleDES-SHA1	When selected, users can leave the password field empty when requesting the certificate. Setting a password is recommended as not all applications support non-password protected certificates.
Preferred key protection algorithm	The default key protection algorithm selected in the enrollment form for certificates requested through this account. Users can still select a different algorithm when requesting the certificate. No preference — The account is accessible to any user that can authenticate to the enrollment endpoint. Secure AES256-SHA256 — The key protection algorithm is set to AES256-SHA256. Compatible TripleDES-SHA1 — The key protection algorithm is set to TripleDES-SHA1.
Authorization method	The method used to authorize user access to the account. The options are: None — No authorization is required for the account. Access Code — When Access Code is selected as the authorization method, you provide an access code for the account. Following authentication to the enrollment form, users can enter this access code to access the account. IDP assertions mapping — When ID assertions mapping is selected as the authorization method, you can click Edit to map IDP assertions authorize users to access the account automatically when authenticating through their IDP. The following IDP assertions are available for mapping: cn — The user’s full name or common name. displayname — A human-readable display name for the user. entitlement — Information about the user’s access rights or permissions. eppn — A unique identifier for individuals within education and research institutions, often resembling an email address. givenname — The user’s first name. groups — Information about the user’s group memberships or affiliations. mail — The user’s email address. schachomeorganization — The user’s organization identifier. sn — The user’s last name or surname. uid — A unique identifier for the user within an organization or system.

Name

The name of the account.

Profiles

The certificate profiles available when enrolling certificates through this account.

CSR generation method

The method used to generate the certificate signing request (CSR) for certificates requested through this account.

Browser — The CSR and private key are generated directly in the browser. The private key remains secure as it is not stored in SCM or visible to Sectigo. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key can be downloaded in .p12 format.
Server — The CSR and private key are generated in SCM. Because Sectigo has visibility of the private key, this method only supports the issuance of Client, Device, and Code-Signing certificates. When used to request Client certificates, the private key is eligible for storage in Sectigo Key Vault. The issued certificate and private key can be downloaded in .p12 format.
Provided by user — The CSR is created and provided by the requestor. This method supports the issuance of SSL, Client, Device, and Code-Signing certificates. The issued certificate and private key are not available in .p12 format.
Sectigo Security App — The CSR and private key are generated using the Sectigo Security application installed on the requestor’s machine. This method supports the issuance of SSL, Client, and Device certificates. The issued certificate is directly transferred to the Sectigo Security App for installation.

Automatically approve certificate requests

When selected, certificate requests are automatically approved without needing administrator approval in SCM. This overrides any approval requirements configured in the certificate profile.

Allow Auto Renew SSL Certificates

When selected, SSL certificates are eligible for automatic renewal configuration during enrollment.

Allow Empty PKCS12 Password for Compatible TripleDES-SHA1

When selected, users can leave the password field empty when requesting the certificate. Setting a password is recommended as not all applications support non-password protected certificates.

Preferred key protection algorithm

The default key protection algorithm selected in the enrollment form for certificates requested through this account. Users can still select a different algorithm when requesting the certificate.

No preference — The account is accessible to any user that can authenticate to the enrollment endpoint.
Secure AES256-SHA256 — The key protection algorithm is set to AES256-SHA256.
Compatible TripleDES-SHA1 — The key protection algorithm is set to TripleDES-SHA1.

Authorization method

The method used to authorize user access to the account.

The options are:

None — No authorization is required for the account.
Access Code — When Access Code is selected as the authorization method, you provide an access code for the account. Following authentication to the enrollment form, users can enter this access code to access the account.
IDP assertions mapping — When ID assertions mapping is selected as the authorization method, you can click Edit to map IDP assertions authorize users to access the account automatically when authenticating through their IDP.

The following IDP assertions are available for mapping:
- cn — The user’s full name or common name.
- displayname — A human-readable display name for the user.
- entitlement — Information about the user’s access rights or permissions.
- eppn — A unique identifier for individuals within education and research institutions, often resembling an email address.
- givenname — The user’s first name.
- groups — Information about the user’s group memberships or affiliations.
- mail — The user’s email address.
- schachomeorganization — The user’s organization identifier.
- sn — The user’s last name or surname.
- uid — A unique identifier for the user within an organization or system.

Delete an enrollment form account

Navigate to Enrollment Enrollment Forms.
Select the enrollment form with the account you want to delete, and click Accounts.
Select the account you want to delete, and click the Delete icon.
Click Delete.