If you will use Authority Security Manager for Generating a timestamping certificate and key pair, you may need to create a new certificate type. Otherwise, you can skip this section.

To issue the Timestamping Authority certificate with Entrust Authority Security Manager, you may need to create a new certificate type. In the latest Entrust Authority Security Manager 10.0.x releases, a Time-Stamp Authority (TimeStamp_1K) certificate type may already be predefined in the certificate specifications. This certificate type includes the proper certificate extensions for signing timestamp responses.

The following procedures describe how to create the Time-Stamp Authority (TimeStamp_1K) certificate type if it does not already exist.

To add the Time-Stamp Authority certificate type to Entrust Authority Security Manager

  1. Log in to Entrust Authority Security Manager Administration.
  2. Select File > Certificate Specifications > Export and export the certificate specifications.
  3. Open the certificate specifications file in a text editor.

  4. Add the following lines to the [Certificate Types] section.

    TimeStamp_1k=enterprise,Time-Stamp Authority,Time-Stamp Authority certificate -no directory entry

  5. Add the following lines to the [Extension Definitions] section.

    ;----------------------------------------------------------------------
    ;- Cert Type: TimeStamp_1k
    ;- This cert type needs to be mapped to cert def policy enforcing:
    ; - Certificate lifetime:
    ; - Exclude privateKeyUsagePeriod: 1
    ; - Exclude basicConstraints: 1
    ; - Exclude entrustVersInfo: 1
    ;----------------------------------------------------------------------
    [TimeStamp_1k Certificate Definitions]
    1=Verification
    ;
    [TimeStamp_1k Verification Extensions]
    ;Key Usage: Digital Signature
    keyusage=2.5.29.15,n,m,BitString,1
    ;Extended Key Usage: Time Stamping
    extkeyusage=2.5.29.37,c,o,SeqOfObjectIdentifier,1.3.6.1.5.5.7.3.8.
    ; Certificate Policies: DER encode the <Policy-OID>
    ; Policy-OID=<Policy-OID> - This OID is optional, the customer might not have a policy OID.
    ;certificatepolicies=2.5.29.32,n,o,DER,<DER encoded value of the above OID>
    ; AuthorityInfo Access:
    ; - OCSP server URL: <OCSP-HTTP-URL>
    ; - Issuing CA certificate URL: <CA-Cert-HTTP-URL>
    ;aia=1.3.6.1.5.5.7.1.1,n,m,DER,<DER encoded value of the above two URLs>
    ;
  6. (Optional.) You can add a certificatePolicies extension to the certificate type.
    The certificatePolicies extension contains policy information, such as how your CA operates and the intended purpose of the issued certificate. Typically, different certificate policies will relate to different applications which may use the certified key. The Certificate Policies extension contains a sequence of one or more policy information terms. Each policy information term consists of an object identifier (OID) and optional qualifiers. In an end entity certificate, the policy information terms indicate the policy under which the certificate has been issued, and the purposes for which the certificate may be used. To add a certificatePolicies extension to the certificate type:
    1. DER-encode a list of one or more policy OIDs. Entrust provides an entDerEncoder utility for Security Manager that you can use to DER-encode data for certificate extensions. For instructions about using the entDerEncoder utility, see the Security Manager documentation.
    2. Uncomment the certificatepolicies= entry and replace <DER encoded value of the above OID> with the DER-encoded value you obtained in the previous step.
  7. (Optional.) You can add an authorityInformationAccess extension to the certificate type.
    The Authority Information Access (AIA) certificate extension indicates how to access information and services for the CA that issued the certificate. Information and services may include online validation services and CA policy data. To add a certificatePolicies extension to the certificate type: 
    1. DER-encode the HTTP URL of the CA certificate. Entrust provides an entDerEncoder utility for Security Manager that you can use to DER-encode data for certificate extensions. For instructions about using the entDerEncoder utility, see the Security Manager documentation.
    2. Uncomment the aia= entry and replace <DER encoded value of the above URL> with the DER-encoded value you obtained in the previous step.

  8. Add the following lines to the [Advanced Settings] section. 

    [TimeStamp_1k Advanced]
    noBasicConstraints=1
    noPrivateKeyUsage=1
    noEntrustVersInfo=1
    cdpLdapDnLast=1
    noUserInDirectory=1
    ;noCRLDistPoints=1
  9. Save and close the file.
  10. Select File > Certificate Specifications > Import and import the certificate specifications back into Entrust Authority Security Manager.