Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

For MDM-SCEP enrollment, you must add the following certificate types to the Security Manager CA: signing, encryption, dual usage (signing and encryption), non-repudiation.

To add MDM-SCEP certificate types to Security Manager

Log in to Security Manager Administration.
Export the certificate specifications to a file by selecting File > Certificate Specifications > Export.
Open the certificate specifications file in a text editor.
Add the following lines to the [Certificate Types] section.

; ----------------------------------------------------------------------

; Certificate types to be used with MDM for SCEP Enrollments

; ----------------------------------------------------------------------

ent_mdm_scep_sig=enterprise,MDM-SCEP Signing,MDM-SCEP Signing Certificate

ent_mdm_scep_enc=enterprise,MDM-SCEP Encryption,MDM-SCEP Encryption Certificate

ent_mdm_scep_sig_enc=enterprise,MDM-SCEP Signing and Encryption,MDM-SCEP Signing and Encryption Certificate

ent_mdm_scep_nonrep=enterprise,MDM-SCEP Signing and Nonrepudiation,MDM-SCEP Signing and Nonrepudiation Certificate

; ----------------------------------------------------------------------
Add the following lines to the [Extension Definitions] section.

; ----------------------------------------------------------------------

; Certificate definitions to be used with MDM for SCEP Enrollments

; ----------------------------------------------------------------------

[ent_mdm_scep_sig Certificate Definitions]

1=Verification_p10

[ent_mdm_scep_sig Verification_p10 Extensions]

keyusage=2.5.29.15,n,m,BitString,1

[ent_mdm_scep_sig Advanced]

noUserInDirectory=1

[ent_mdm_scep_enc Certificate Definitions]

1=Encryption_p10

[ent_mdm_scep_enc Encryption_p10 Extensions]

keyusage=2.5.29.15,n,m,BitString,001

[ent_mdm_scep_enc Advanced]

noUserInDirectory=1

[ent_mdm_scep_sig_enc Certificate Definitions]

1=Dual Usage

[ent_mdm_scep_sig_enc Dual Usage Extensions]

keyusage=2.5.29.15,n,m,BitString,101

[ent_mdm_scep_sig_enc Advanced]

noUserInDirectory=1

[ent_mdm_scep_nonrep Certificate Definitions]

1=Nonrepudiation

[ent_mdm_scep_nonrep Nonrepudiation Extensions]

keyusage=2.5.29.15,n,m,BitString,11

[ent_mdm_scep_nonrep Advanced]

noUserInDirectory=1

;-----------------------------------------------------------------------
Save and close the file.
Import the certificate specifications back into Security Manager. In Security Manager Administration, select File > Certificate Specifications > Import.