PKIaaS capabilities for certificate issuance include the following.
Certificate profiles
PKIaaS certificate issuance is always in the context of a certificate profile. These profiles are defined within the PKIaaS service and referenced by name in the certificate issuance requests. As described in Subscriber certificate profiles, Entrust tunes the profiles to specific use cases:
- ECS Enterprise UI
- CA Gateway API
- On-premises Certificate Enrollment Gateway (CEG).
Subscriber key algorithms
PKIaaS supports RSA and EC subscriber certificate key algorithms. PKIaaS is validated to sign certificates that use the following algorithms for their public key.
- ECDSA P-256
- ECDSA P-384
- ECDSA P-521
- RSA 2048
- RSA 3072
- RSA 4096
Validity period
The certificate validity period cannot go beyond the expiry date of the issuing CA. The validity period value defaults to 3 years if it is not specified in the request.
Enrollment by CSR
All certificate issuance requests are completed through CSR format. The calling application is responsible for the generation of the certificate's private key.
Subject Alt Names
Subject Alt Names (SANs) are supplied in the request separate from the CSR. API requests to PKIaaS support the "subjectAltNames" field of the request.
Some third-party services such as Venafi require to automatically supply SANs using the common names for TLS server certificates. To automatically supply SANs using common names, PKIaaS offers two certificate profiles under Private SSL (ACMEv2) certificate profiles.
- privatessl-tls-client-server-supply-san
- privatessl-tls-server-supply-san
Extensions
Certificate extensions are supplied in the request separate from the CSR. Use the following API field to supply extensions.
optionalCertificateRequestDetails.extensions
Proof of possession
The proof of possession check automatically validates that the caller has possession of the private key. The POP check is always performed during certificate request validation.