Open the end-entities page.
In the Enrollment tab, open the customized enrollment form.
Fill in the values, and submit the request.
Enter the password to the key database when prompted.
When the correct password is entered, the client generates the key pair.
Do not interrupt the key-generation process. Upon completion of the key generation, the request is submitted to the server to issue the certificate. The server subjects the request to the certificate profile and issues the certificate only if the request meets all the requirements.
When the certificate is issued, install the certificate in the browser.
Verify that the certificate is installed in the browser's certificate database.
If PIN-based directory authentication was configured with PIN removal, re-enroll for another certificate using the same PIN. The request should be rejected.