In Entrust CA Gateway, you must create profiles for each Managed CA that will issue certificate for MDM Web Service enrollment (PKCS #12 enrollment over the MDMWS protocol). Each profile must issue one of the MDMWS P12 certificate types you added earlier to Security Manager.

When adding these profiles to CA Gateway:

  • The subject_builder_config field is not supported.
  • The subject-variable-requirements field is not supported.
  • The values of the cert_type (certificate type) and cert_definition (certificate definition) parameters must match the values specified in Security Manager.
  • The value of user_role must match a role that allows PKCS #12 export. You may have created a role that allows PKCS #12 export named End User P12.
  • The value of the create_ldap_entry parameter must be false.

The following example shows multiple Managed CA profiles configured in CA Gateway for MDMWS P12 enrollment, one profile for each MDMWS P12 certificate type you created earlier in Security Manager.

- name: "MDM-P12 Verification
unique_id: ent_mdm_p12_sig
properties:
cert_type: ent_mdm_p12_sig
cert_definition: Verification
user_role: End User P12
user_type: Web Server
create_ldap_entry: false
- name: "MDM-P12 Encryption"
unique_id: ent_mdm_p12_enc
properties:
cert_type: ent_mdm_p12_enc
cert_definition: Encryption
user_role: End User P12
user_type: Web Server
create_ldap_entry: false
- name: "MDM-P12 Dual Usage"
unique_id: ent_mdm_p12_sig_enc
properties:
cert_type: ent_mdm_p12_sig_enc
cert_definition: Dual Usage
user_role: End User P12
user_type: Web Server
create_ldap_entry: false
- name: " MDM-P12 Nonrepudiation"
unique_id: ent_mdm_p12_nonrep
properties:
cert_type: ent_mdm_p12_nonrep
cert_definition: Nonrepudiation
user_role: End User P12
user_type: Web Server
create_ldap_entry: false