Runbook: Issue Certificate

Duration: ~10 minutes
Role: PKI Operator
Prerequisite: Approved CSR

Workflow

flowchart TD A[CSR received] --> B{Validate CSR} B -->|Invalid| C[Reject + Ticket] B -->|Valid| D{Approval?} D -->|No| E[Request approval] D -->|Yes| F[Sign certificate] F --> G{Hybrid mode?} G -->|Yes| H[Add PQ extension] G -->|No| I[Sign classic] H --> J[Deliver] I --> J J --> K[Audit Log] style B fill:#fff3e0 style F fill:#e8f5e9 style H fill:#e3f2fd

Step 1: Receive and Validate CSR

Checklist before signing:

#	Checkpoint	Command	Expected
—	————	———	———-
1	CSR format valid	`openssl req -in request.csr -verify -noout`	`verify OK`
2	Key length	`openssl req -in request.csr -text \\| grep „Public-Key“`	>=2048 bit (RSA), >=256 bit (EC)
3	Subject correct	`openssl req -in request.csr -subject -noout`	According to request
4	SANs complete	`openssl req -in request.csr -text \\| grep -A1 „Subject Alternative“`	All hostnames

# Complete CSR verification
openssl req -in request.csr -text -noout -verify

Step 2: Verify Approval

Certificate Type	Approval by	Documentation
——————	————-	—————
Server (internal)	Automatic / Ticket	Ticket No.
Server (external)	IT Security	E-mail + Ticket
Client	Department head	Form
Code Signing	CISO	Written

Step 3: Sign Certificate

Classic Mode

# Sign server certificate (1 year)
openssl ca -config openssl.cnf \
    -extensions server_cert \
    -in request.csr \
    -out certificate.pem \
    -days 365 \
    -notext
 
# Note serial number
openssl x509 -in certificate.pem -serial -noout

Hybrid Mode (PQ)

// C# with WvdS.System.Security.Cryptography
using var intermediate = new X509Certificate2("intermediate.pfx", "password");
 
var csr = CertificateRequest.LoadSigningRequest(
    File.ReadAllBytes("request.csr"),
    HashAlgorithmName.SHA256);
 
var cert = csr.Create(
    intermediate,
    DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddDays(365),
    Guid.NewGuid().ToByteArray(),
    CryptoMode.Hybrid);  // PQ extension
 
File.WriteAllText("certificate.pem", cert.ExportCertificatePem());

Step 4: Deliver

Format	Usage	Command
——–	——-	———
PEM	Linux, Apache	`cp certificate.pem /output/`
PFX	Windows, IIS	`openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.pfx`
DER	Java	`openssl x509 -in certificate.pem -outform DER -out certificate.der`

# Deliver with chain
cat certificate.pem intermediate.pem > fullchain.pem

Step 5: Documentation

Required fields in ticket/log:

Field	Example
——-	———
Serial number	`01:23:45:67:89:AB:CD:EF`
Subject	`CN=server.example.com`
Valid until	`2025-12-15`
Issued by	`Operator-Name`
Ticket No.	`INC-2024-12345`
Mode	`Hybrid / Classic`

Troubleshooting

Problem	Cause	Solution
———	——-	———-
`unable to load CSR`	Wrong format	`openssl req -inform DER -in request.der -out request.pem`
`signature verify failed`	CSR manipulated	Request new CSR
`wrong issuer`	Wrong CA	Check CA certificate
`certificate request failed`	Configuration error	Check `openssl.cnf`

Related Runbooks

Renew Certificate - For expiring certificates
Revoke Certificate - On compromise
CSR Quick Reference - Code examples

« <- Daily Operations | -> Renew Certificate »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

runbook, certificate, issue, operator