You can also purchase each Entrust PKIaaS service à la carte instead of Purchasing enterprise bundles.
Orders for PKIaaS generally consist of the following.
PKIaaS CA bundles
Each PKIaaS CA bundle includes:
- A root CA license
- An issuing CA license
- An external root CA license for Adding an issuing CA under an external root CA.
- A CRL instance for each CA
- All the pre-configured Subscriber certificate profiles.
- Entrusted-hosted Enrollment Gateway for WSTEP, Intune, MDM,
You should purchase CA bundles based on how many issuing CAs you need. Specifically:
- PKIaaS only charges for the issuing CAs.
- An online root CA and a connection to an external root CA are free for each issuing CA purchased.
See Checking your PKIaaS inventory for how to validate and track your inventory using the ECS Enterprise UI.
PKIaaS certificate licenses
PKIaaS certificate licenses are reusable within the terms of your contract.
- Each "normal" and "held" certificate requires one certificate license.
- "normal" means certificates issued but not expired, suspended, or revoked.
- "held" means a suspended certificate.
- A revoked or expired certificate returns the license to the certificate license inventory (the inventory refresh might be delayed by up to 30 minutes).
Purchase certificate licenses based on the certificates you want to issue.
- If you are bulk-renewing certificates (issuing new certificates before existing certificates are revoked or expire), you must purchase 2 times the certificate licenses.
- You can also renew the certificates by batch; that way, you only need surplus license inventory to issue new certificates while the existing certificates are still active.
OCSP (optional & recommended)
If you want to use OCSP as your VA (Validation Authority) method, you must purchase the OCSP service for each CA that needs OCSP enabled. The pricing of the OCSP per CA is based on the volume of the certificates you purchased. A higher volume of certificates translates to a higher price for the OCSP service because the cost of the OCSP (queries and responses) is directly impacted by the number of certificates.
In many use cases, OCSP is not required or recommended; PKIaaS offers free CRL for each PKIaaS CA.
Enrollment service bundles (optional for on-prem Enrollment Gateway)
You can automate the following enrollment mechanisms when using Certificate Enrollment Gateway (CEG) software that needs to be deployed on your premises.
- ACME (Private SSL/TLS)
- SCEP
For these services, you get:
- Access to https://trustedcare.entrust.com for downloading the Entrust Certificate Enrollment Gateway software.
- An enrollment service license per issuing CA to activate a use case on Entrust Certificate Enrollment Gateway. See Automating enrollment with an on-premises Enrollment Gateway for details.
For example, each PKIaaS WSTEP Enrollment Service Bundle includes:
- The TrustedCare access to download the Certificate Enrollment Gateway software as described in Activating Entrust TrustedCare (optional).
- A license to activate the WSTEP protocol on the Certificate Enrollment Gateway software