Skip to main content

Certificate request tokens

Certificate request tokens provide a secure, time-limited mechanism for generating client certificates without requiring direct API access. They act as pre-authorized tokens that contain certificate metadata and can be exchanged for actual client certificates. A certificate request token is a one time token, once used it can't be reused.

Certificate request tokens enable you to generate client certificates through a token-based workflow that simplifies certificate distribution and management. The administrator can pre-configure certificate metadata such as Common Name, Organization, and Organizational Unit, which can be updated later if needed. This approach allows you to delegate certificate creation to systems or users without requiring full API access, making it ideal for scenarios where direct API credentials cannot or should not be shared.

How it works

The Certificate Request Token workflow follows these steps:

  1. Create Token: An administrator creates a Certificate Request Token with predefined certificate metadata
  2. Distribute Token: The token string is securely shared with the system or user needing a certificate
  3. Redeem Token: The token is used to generate an actual client certificate by uploading a Certificate Signing Request (CSR)
  4. Certificate Created: A client certificate is created with the metadata from the token

Token properties

Each Certificate Request Token contains both required and optional certificate metadata that will be applied to the generated client certificate.

Name is the only required field, which becomes the name for the resulting client certificate. This name helps identify and manage certificates within your Frontdoor account.

Common Name (CN) serves as the recommended subject Common Name for the certificate.

Organization (O) field for the certificate subject.

Organizational Unit (OU) for additional organizational context.

While these fields are optional, providing them ensures consistency and proper certificate identification within your organization's PKI structure. The end user can update the optional fields when using the token.

Best practices

Token creation

Effective token creation starts with using clear, descriptive names that clearly indicate the Client Certificate's purpose and intended end user. Optionally pre-fill certificate metadata whenever possible to ensure consistency across your certificate infrastructure and reduce the chance of errors during redemption. Always document what each token is intended for, including its purpose, intended recipient, and expected usage timeline for future reference and auditing.

More info