Create a new certificate.

Note: The Certificate Signing Request (CSR) parameter is required in most cases, read its description for more details.

Parameters

ParameterDescription
Certificate EmailThe email address to include in the certificate. Applicable to S/MIME and Document Signing only.

Document Signing:
* Required field.
* Email must match a verified Signer User.

S/MIME Certificates:
* Email address must be included in the Distinguished Name (DN).
Certificate Expiry DateThe date when the certificate should expire. This value is ignored when Certificate Lifetime parameter is specified.

Note: This parameter is required for subscription license certificates.
Certificate LifetimeThe lifetime of the certificate specified as an ISO 8601 duration.

For example:
* P1Y (1 year)
* P2Y (2 years)
Certificate Signing Request (CSR)The certificate signing request in PEM format, base-64 encoded with or without BEGIN/END labels.

A CSR is required for most certificates, unless specified otherwise.

Exceptions include:
* Document Signing - CSR not needed for CDS_INDIVIDUAL and CDS_GROUP.
* S/MIME certificates - Either CSR or password are required.
* Mark certificates - CSR is optional.
* Duplicate certificates - CSR is required, and CN must match original certificate.
Certificate Transparency LogSelect to submit the certificate to Certificate Transparency logs for a better monitoring.

When un-checked but account is set to “always log”, the certificate generation will fail.

Note: Logging is not available for private SSL and SSL client certificates.
Certificate TypeThe type of certificate to issue.
Client IDThe client identifier.

When omitted:
* If Organization parameter is provided - primary client is used (value of 1).
* If Organization parameter is not provided - system attempts to match organization from CSR to an approved client.
Common Name (CN)The common name for the certificate. Applicable to S/MIME and Document Signing Individual certificates only.

Document Signing Individual certificates:
* Required field.
* CN must be “firstname lastname” of a verified signer.

S/MIME certificates:
* CN must be either full legal name or email address.
End User Key Storage AgreementSelect to inform the end user of the requirement to store the private key on cryptographically secure hardware to be compliant with the Entrust CSP and Subscription agreement.

Note: This parameter is applicable to Code Signing certificates only.
Extended Key UsageThe extended key usage for the certificate.

Note: This parameter is applicable to all SSL certificate types.
Given NameThe given name (first name) of the certificate subject.

Note: This parameter is applicable to S/MIME certificates only.
OrganizationThe organization name for the certificate.

When provided, this value is used in the certificate, overriding any organization in CSR.

Exception for Private Dedicated SSL (PD_SSL):
* When omitted, organization from CSR is used (if available).
* If CSR has no specified organization, client organization is used.

Important Restrictions:
* For most certificate types - this parameter only valid with Client ID of 1 (primary client).
* For PD_SSL certificates - this parameter can be used with any Client ID.
* For S/MIME certificates - additional organizations under the primary client cannot be used in this parameter.
Organizational UnitThe organizational unit (OU) of the certification.

OUs are not supported with the following certification types:
* Public SSL/TLS certificates.
* Verified Mark certificates (VMC).
* S/MIME Enterprise certificates.

For new certificates the Organizational Unit parameter overrides the CSR value.
PasswordThe certificate pickup password.

Must be at least 8 characters long and include at least one uppercase letter, one lowercase letter, one numeric character, and one special character (!@#$%^&*()).
Queue For ApprovalSelect to queue the certificate for approval instead of issuing immediately.

Note: This parameter is applicable to SSL and Document Signing certificates only.
Signing AlgorithmThe algorithm used to sign the certificate.

Note: Only SHA-2 is supported.
Subject Alternative Name (SAN)A comma-separated list of subject alternative name identifiers (SANs) to include in the certificate. This parameter applies only to SSL and VMC certificates.

SSL certificates:
* When CSR contains neither CN nor SANs, at least one domain must be specified in the SAN parameter.

VMC certificates:
* This parameter is required and must include at least one domain name.
* CN and SAN entries in the CSR are disregarded.

Certificate renewal/reissue:
* For subscription-based SSL/VMC certificates, domains present in the original certificate cannot be removed during renewal.
SurnameThe surname of the certificate subject.

Note: This parameter is applicable to S/MIME certificates only.
User Principal Name (UPN)User Principal Name for the certificate subject.

Note: This parameter is applicable to SMIME_ENT certificate only. If specified, the value must be a valid email address and its domain must be the approved domain for that client.
Validate OnlySelect to only validate the request without actually issuing the certificate.

Example Output

{
	"trackingId": 0,
	"endEntityCert": "string",
	"chainCerts": [
		"string"
	],
	"serialNumber": "string",
	"expiresAfter": "2025-04-07T07:26:17.155Z",
	"pickupUrl": "https://www.entrust.net/ssl/certpickup.cfm?id=5555555-0C227220-A9C9-46A9-95B7-E412C4264F5F",
	"pkcs12": "string",
	"vmcHostingDetails": [
		{
			"domain": "example.com",
			"certificateUrl": "https://bimi.entrust.net/example.com/certificatechain.pem",
			"logoUrl": "https://bimi.entrust.net/example.com/logo.svg"
		}
	]
}

Workflow Library Example

Create Certificate with Entrust Certificate Services and Send Results Via Email

Preview this Workflow on desktop