Entrust has a gateway that exposes its REST API's to client applications named as Entrust CA Gateway. In order to configure it as an External CA, select the Entrust CA Gateway option from the CA Type drop down. These options will be shown:



The items are described in this table:


Items

Description

CA  Alias

An user-defined descriptive name to make it easier for ADSS Server users to manage multiple certificate authorities. The name used must be unique.

CA Type

ADSS Server can be configured to request certificates from the Entrust CA Gateway. All requests received in the corresponding ADSS Certification Service will be forwarded to the defined External CA for processing. The supported request types are: 

  • CREATE
  • RENEW
  • REVOKE
    Revocation reasons can include: 
    • unSpecified
    • keyCompromise
    • affiliationChanged
    • superseded
    • cessationOfOperation
    • certificateHold
  • REINSTATE

CA Certificate

All the CA certificates configured in Trust Manager with the purpose CA (will be used to verify other certificates and CRLs) are available in this drop down list. 

Select the target Entrust CA Gateway certificate. 

Note: The complete certificate chain of the Entrust CA must be registered in Trust Manager.

CA Address

Specify the URL from where this CA could listen the certificate request messages.

TLS Client Certificate

Required for communication with the CA if Entrust CA Gateway is communicating over TLS Client Authentication. Select the TLS Client Authentication Certificate which pre-exists in the Key Manager

Note: It is required to register the Issuer CA of the TLS Client Authentication certificate in  Trust Manager with purpose CA for verifying TLS client certificates.

CA ID

Specify the CA ID to be used in order to generate the certificate.

Profile ID

Specify the Profile ID to be used in order to issue certificates from Entrust CA Gateway.


Known Limitations of Entrust CA Gateway

Here are the known limitations of Entrust CA Gateway that the user must consider:

  • While revoking or reinstating a certificate, the 'title' attribute shall not be passed in the RDN.
  • While creating a new certificate, the 'uniqueIdentifier' attribute in RDN is not being supported by Entrust CA Gateway.
  • The Entrust CA Gateway will not accept otherName attribute in Subject Alternative Name (SAN) unless the required value is not passed inside the SEQUENCE object structure.
  • While sending the request to Entrust CA Gateway, the 'title' and 'Email' attribute names must be replaced with 'T' and 'E' in directoryName inside SAN.


See also

ADSS CA Server

Microsoft CA
Symantec MPKI
GlobalSign EPKI
GlobalSign HVCI
EJBCA
QuoVadis CA
Entrust CA

Entrust CA Gateway
Offline External CA
DigiCert PKI

DigiCert ONE MPKI
Microsoft Active Directory Certificate Services