To issue a certificate for Certificate Enrollment Gateway, a user account for the certificate must exist in your on-premises CA. You must create a user account to issue the initial Certificate Enrollment Gateway certificate. You must recover (reset) the user account to renew the Certificate Enrollment Gateway certificate.

To manually create or recover (reset) a user account, you can use an administration application such as Entrust Authority Security Manager Administration or the User Management Service (Entrust Administration Services). When creating a new user account:

  • It is recommended that you configure the user's name (using the directory naming attributes) to be the fully qualified domain name of the server hosting Entrust PKI Hub 1.0. For example, example.com.
  • Select a 1-key-pair certificate type with a Dual Usage certificate definition that includes an Extended Key Usage extension with server authentication and client authentication. The certificate definition should also be assigned a certificate definition policy. For example, the Enterprise Machine (ent_machine) certificate type.
  • For the Subject Alternative Name (SubjectAltName) extension, add a DNS Name component for each DNS name that may be used by the Entrust PKI Hub 1.0 cluster.

For information about creating or recovering user accounts, see the documentation for the client application.