In Entrust CA Gateway, you must create profiles for each Managed CA that will issue certificate for MDM Web Service enrollment (PKCS #12 enrollment over the MDMWS protocol). Each profile must issue one of the MDMWS P12 certificate types you added earlier to Security Manager.
When adding these profiles to CA Gateway:
- The
subject_builder_config
field is not supported. - The
subject-variable-requirements
field is not supported. - The values of the
cert_type
(certificate type) andcert_definition
(certificate definition) parameters must match the values specified in Security Manager. - The value of
user_role
must match a role that allows PKCS #12 export. You may have created a role that allows PKCS #12 export named End User P12. The value of the
create_ldap_entry
parameter must befalse
.
The following example shows multiple Managed CA profiles configured in CA Gateway for MDMWS P12 enrollment, one profile for each MDMWS P12 certificate type you created earlier in Security Manager.
- name: "MDM-P12 Verification
unique_id: ent_mdm_p12_sig
properties:
cert_type: ent_mdm_p12_sig
cert_definition: Verification
user_role: End User P12
user_type: Web Server
create_ldap_entry: false
- name: "MDM-P12 Encryption"
unique_id: ent_mdm_p12_enc
properties:
cert_type: ent_mdm_p12_enc
cert_definition: Encryption
user_role: End User P12
user_type: Web Server
create_ldap_entry: false
- name: "MDM-P12 Dual Usage"
unique_id: ent_mdm_p12_sig_enc
properties:
cert_type: ent_mdm_p12_sig_enc
cert_definition: Dual Usage
user_role: End User P12
user_type: Web Server
create_ldap_entry: false
- name: " MDM-P12 Nonrepudiation"
unique_id: ent_mdm_p12_nonrep
properties:
cert_type: ent_mdm_p12_nonrep
cert_definition: Nonrepudiation
user_role: End User P12
user_type: Web Server
create_ldap_entry: false