You can also purchase each Entrust PKIaaS service à la carte instead of Purchasing enterprise bundles.

Orders for PKIaaS generally consist of the following.

PKIaaS CA bundles

Each PKIaaS CA bundle includes:

You should purchase CA bundles based on how many issuing CAs you need. Specifically:

  • PKIaaS only charges for the issuing CAs.
  • An online root CA and a connection to an external root CA are free for each issuing CA purchased.

See Checking your PKIaaS inventory for how to validate and track your inventory using the ECS Enterprise UI.

PKIaaS certificate licenses

PKIaaS certificate licenses are reusable within the terms of your contract.   

  • Each "normal" and "held" certificate requires one certificate license.
    • "normal" means certificates issued but not expired, suspended, or revoked.
    • "held" means a suspended certificate.
  • A revoked or expired certificate returns the license to the certificate license inventory (the inventory refresh might be delayed by up to 30 minutes).

Purchase certificate licenses based on the certificates you want to issue.

  • If you are bulk-renewing certificates (issuing new certificates before existing certificates are revoked or expire), you must purchase 2 times the certificate licenses. 
  • You can also renew the certificates by batch; that way, you only need surplus license inventory to issue new certificates while the existing certificates are still active. 

OCSP (optional & recommended)

If you want to use OCSP as your VA (Validation Authority) method, you must purchase the OCSP service for each CA that needs OCSP enabled. The pricing of the OCSP per CA is based on the volume of the certificates you purchased.  A higher volume of certificates translates to a higher price for the OCSP service because the cost of the OCSP (queries and responses) is directly impacted by the number of certificates.  

In many use cases, OCSP is not required or recommended; PKIaaS offers free CRL for each PKIaaS CA.

Enrollment service bundles (optional for on-prem Enrollment Gateway)

You can automate the following enrollment mechanisms when using Certificate Enrollment Gateway (CEG)  software that needs to be deployed on your premises. 

  • ACME (Private SSL/TLS)
  • SCEP

For these services, you get:

For example, each PKIaaS WSTEP Enrollment Service Bundle includes:

  • The TrustedCare access to download the Certificate Enrollment Gateway software as described in Activating Entrust TrustedCare (optional).
  • A license to activate the WSTEP protocol on the Certificate Enrollment Gateway software
WSTEP, Intune, and MDM enrollment automation can be done directly on the ECS enterprise portal using Entrust Hosted Enrollment Gateway free of charge. A customer should only buy the on-premises Certificate Enrollment Gateway for the use case not supported by the Entrust-hosted solution yet, such as SCEP and ACME.