Cryptographic Security Platform 1.2 - Installation and administration guide [PDF][Releases]

For CMPv2 enrollment, you must add the following certificate types to the on-premises CA for CMPv2 enrollment:

signing
encryption
dual usage (signing and encryption)
non-repudiation.

To add CMPv2 certificate types to the on-premises CA

Log in to Entrust Certificate Authority Administration.
Export the certificate specifications to a file by selecting File > Certificate Specifications > Export.
Open the certificate specifications file in a text editor.
Add the following lines to the [Certificate Types] section.

; ----------------------------------------------------------------------

; Certificate types to be used with CMPv2

; ----------------------------------------------------------------------

ent_cmpv2_sig=enterprise,CMPv2 Signing,CMPv2 Signing Certificate

ent_cmpv2_enc=enterprise,CMPv2 Encryption,CMPv2 Encryption Certificate

ent_cmpv2_sig_enc=enterprise,CMPv2 Signing and Encryption,CMPv2 Signing and Encryption Certificate

ent_cmpv2_sig_nonrep=enterprise,CMPv2 Signing and Nonrepudiation,CMPv2 Signing and Nonrepudiation Certificate

; ----------------------------------------------------------------------
Add the following lines to the [Extension Definitions] section.

; ----------------------------------------------------------------------

; Certificate definitions to be used with CMPv2

; ----------------------------------------------------------------------

[ent_cmpv2_sig Certificate Definitions]

1=Verification_p10

[ent_cmpv2_sig Verification_p10 Extensions]

keyusage=2.5.29.15,n,m,BitString,1

[ent_cmpv2_sig Advanced]

noUserInDirectory=1

[ent_cmpv2_enc Certificate Definitions]

1=Encryption_p10

[ent_cmpv2_enc Encryption_p10 Extensions]

keyusage=2.5.29.15,n,m,BitString,001

[ent_cmpv2_enc Advanced]

noUserInDirectory=1

[ent_cmpv2_sig_enc Certificate Definitions]

1=Dual Usage

[ent_cmpv2_sig_enc Dual Usage Extensions]

keyusage=2.5.29.15,n,m,BitString,101

[ent_cmpv2_sig_enc Advanced]

noUserInDirectory=1

[ent_cmpv2_sig_nonrep Certificate Definitions]

1=Nonrepudiation

[ent_cmpv2_sig_nonrep Nonrepudiation Extensions]

keyusage=2.5.29.15,n,m,BitString,11

[ent_cmpv2_sig_nonrep Advanced]

noUserInDirectory=1

; ----------------------------------------------------------------------
Save and close the file.
Import the certificate specifications back into the CA. In Entrust Certificate Authority Administration, select File > Certificate Specifications > Import.