CA Gateway is a lightweight, container-based module implementing a CA-agnostic Certificate Lifecycle and Policy Management API. Using CA Gateway, your applications can provide certificate issuance, renewal, and revocation actions across different Certification Authorities (CAs). CA Gateway provides policy retrieval capabilities so applications can customize API and user-facing dialogs to ensure that certificate actions conform to organizational policies.

See below for a description of each component.

CA-specific plugins communicate with the underlying CAs through mutually authenticated TLS.

Client

Each client is an authorized end entity of the CA Gateway API and is mapped either to a tenant or an integrator.

  • Clients mapped to an integrator can access many Managed CAs.
  • Clients mapped to a tenant can access only that tenant's Managed CA.

Thus, each CA Gateway client can access one or several CAs.

The CA Gateway API is regularly updated to add functionalities. Therefore, client applications:

  • Should tolerate and ignore new fields.
  • Should be recompiled against the new data model of each CA Gateway release. 

Integrator

Each integrator is an access controller for one or more tenants.

Tenant

Each tenant is an access controller for a Managed CA. Thus, each tenant:

  • Has only one integrator.
  • Controls access to a different CA.

Managed CA

Each managed CA is a collection of information that CA Gateway uses to connect to a CA. For example:

  • Microsoft Active Directory Certificate Services.
  • AWS Certificate Manager Private Certificate Authority.
  • Entrust CA (Entrust Authority Security Manager, Entrust mPKI).