If the contextual menu will display an active Sign Certificate by <aliasForIssuer> option, this means that a CA Issuer was previously selected and you can proceed with the signing operation by selecting the option.

If the contextual menu will display an inactive Sign Certificate by <...> option, this usually means that no CA Issuer was previously selected. In order to use this option you must first select a CA Issuer, using the Select CA Issuer option.

If the contextual menu will display an inactive Sign Certificate by <aliasForIssuer> option, this could also mean that you accessed the contextual menu for the same key pair that was previously selected as CA Issuer. This is a precaution measure to make sure the user will not attempt to sign a generated CSR with the same key pair that generated it.

Generate a CSR for a selected key pair;

Sign the previously generated CSR using another key pair and obtain a CA Reply;

Import the obtained CA Reply in the initial key pair used to generate the CSR.

After you select the Sign Certificate by <aliasForIssuer> option, you will be prompted to enter the password for the private key associated to the selected key pair entry if need be. If the password entered is correct you may proceed to the next step.

After the key pair selected was unlocked, the certificate details from the CSR will be shown in a newly opened dialog requiring to provide a Serial Number and double checking the validity period. Additionally, when signing the CSR, certificate extensions can be added to the certificate.

After the second step was completed and the OK button was pressed, a temporary, internal CA Reply will be created and transparently imported in the selected key pair, thus the target Key Pair will now contain a signed user Certificate and the issuer Certificate as part of the Certificate Chain.