To issue a certificate for the Web server, a user account for the certificate must exist in your on-premises CA. You must create a user account to issue the initial Web server certificate. You must recover (reset) the user account to renew the Web server certificate.
To manually create or recover (reset) a user account, you can use an administration application such as Entrust Authority Security Manager Administration or the User Management Service (Entrust Administration Services). When creating a new user account:
- It is recommended that you configure the user's name (using the directory naming attributes) to be the fully qualified domain name of the Web server. For example,
example.com. - Select a 1-key-pair certificate type with a Dual Usage certificate definition that includes an Extended Key Usage extension with server authentication and client authentication. The certificate definition should also be assigned a certificate definition policy. For example, the Enterprise Machine (ent_machine) certificate type.
- For the Subject Alternative Name (SubjectAltName) extension, add a DNS Name component for each DNS name that may be used by the Web server.
For information about creating or recovering user accounts, see the documentation for the client application.