In Certificate Enrollment Gateway, the CEG Service requires TLS certificates to operate. Certificate Enrollment Gateway includes a TLS bootstrapping feature that can request and obtain TLS certificates from a Managed CA through Entrust CA Gateway (see Managing the TLS certificates of the Certificate Enrollment Gateway Service).

Using the TLS bootstrapping feature is optional for issuing TLS certificates for the CEG Service. If desired, you can use another method or tool to issue TLS certificates for your deployment.

To use the TLS bootstrapping feature, you must define a profile in Entrust CA Gateway for the Managed CA that will issue the required TLS certificates for the CEG Service. For information about defining profiles in CA Gateway, see the CA Gateway documentation.

The profile used for TLS bootstrapping must allow for Dual Usage (both Digital Signature and Key Encipherment). It is recommended that you use a Dual Usage certificate type that you created earlier for an enrollment protocol. For example, for the SCEP protocol, you can use the SCEP Signing and Encryption (ent_scep_sig_enc) certificate type you created earlier for the SCEP and Intune-SCEP protocols in Adding certificate types to Security Manager for SCEP and Intune-SCEP enrollment.

When adding the profile to CA Gateway:

• The subject_builder_config field is not supported.
• The subject-variable-requirements field is not supported.
• The values of the cert_type (certificate type) and cert_definition (certificate definition) parameters must match the values specified in Security Manager.

• The value of the create_ldap_entry parameter must be false.

For example: