You can process the CSR for the Active Directory server certificate using the Profile Creation Utility. The Profile Creation Utility is a command line utility that can create and manage Entrust profiles for an on-premises Security Manager CA. You can use the Profile Creation Utility to process Certificate Signing Requests (CSRs) and generate certificates. The Profile Creation Utility is available as a separate software download for Entrust CA Gateway.
To download and install the Profile Creation Utility
- Install a Java Development Kit (JDK) and set the
JAVA_HOME
environment variable. - Log in to Entrust TrustedCare (http://trustedcare.entrust.com).
- Go to PKI > Authority >CA Gateway and click the latest version of the product.
- Under software downloads, download the Profile Creation Utility for your preferred operating system:
cagw-profilecreationutility-linux64-version.zip
for Linux 64-bit.cagw-profilecreationutility-win64-version.zip
for Windows 64-bit.
- Extract the file contents of the ZIP file to a location on the computer.
To process the CSR using the Process Creation Utility
Obtain the CSR file along with the reference number and authorization code associated with the Security Manager user account.
When you create a user in Security Manager or set a user for key recovery, Security Manager generates a reference number and authorization code. You need these activation codes to process the CSR.To process the CSR, the Profile Creation Utility requires an Entrust desktop profile (EPF file). the role associated with the profile requires the following permissions:
Under the Certificates permission category: permissions to administer the certificate category and certificate type of the certificate being issued.
Under the Groups permission category: View and permission to administer the group associated with the Security Manager user being issued the certificate.
Under the Roles permission category: View and permission to administer the role associated with the Security Manager user being issued the certificate.
Under the Searchbase permission category: View and permission to administer the searchbase associated with the Security Manager user being issued the certificate.
Under the Users permission category: View and Perform PKIX requests. Obtain the Entrust desktop profile (EPF file) from a Security Manager administrator.
- Navigate to the directory containing the Profile Creation Utility.
- Run the following command:
- On Windows, run
pcu.bat
. - On Linux, run
pcu
.
- On Windows, run
The Profile Creation Utility main menu appears:
Main Menu
1
. Exit
2
. Help
3
. Create Entrust profile
4
. Recover Entrust profile
5
. Inspect Entrust profile (read only)
6
. Inspect and update Entrust profile (read/write)
7
. Create Server Login credentials
8
. Create PKCS #
12
file (Security Manager)
9
. Recover PKCS #
12
file (Security Manager)
10
. Create PKCS #
12
file (3rdParty)
11
. Update PKCS #
12
file (3rdParty)
12
. Process PKCS #
10
Certificate Signing Request (CSR)
13
. Generate/Process Certificate Signing Request on HSM (3rdParty)
14
. Change password
Select an operation [
3
]:
To return to the main menu at any time, enter a period (.). For help about using the Profile Creating Utility, enter 2 in the main menu.
Enter 12 to process the CSR.
The following prompt appears:
Take settings from an existing entrust.ini file (y/n) [y]:
To use Certificate Authority (CA) connection settings from an existing
entrust.ini
file, entery
.To provide CA connection settings manually, enter
n
.
If you chose to use an existing
entrust.ini
file, you are prompted to enter the full path to theentrust.ini
file:Enter full path to entrust.ini file:
Enter the full path and file name of the
entrust.ini
file.- If you chose to enter CA connections setting manually, the following prompts appear:
You are prompted to provide the host name (or IP address) and port of the CA server:
Enter the CA hostname or IP address and port in the form name:port:
Enter the host name (or IPv4 address) and CMP port of the server hosting the CA in format of
<hostname>:<port>
. If you omit the port number, it defaults to 829.You are prompted to provide the host name (or IP address) and port of the directory server:
Enter the directory hostname or IP address and port in the form name:port:
Enter the host name (or IPv4 address) and LDAP port of the server hosting the directory in format of
<hostname>:<port>
. The name or address defaults to the same value that you entered for the CA address If you omit the port number, it defaults to 389.
You are prompted for the full path to an administration profile:
Enter full path to administration profile:
Enter the full path and file name of an administration profile.
You are prompted to enter the profile password:
Enter profile password:
Enter the profile password.
You are asked if the CSR is authenticated:
Is the CSR authenticated? (y/n)? [n]:
Enter
n
. The CSR is not authenticated.You are prompted for the full path to the CSR:
Enter full path to CSR:
Enter the full path and file name of the CSR.
You are prompted to enter the reference number for the CSR:
Enter reference number:
Enter the reference number you recorded earlier.
You are prompted to enter the authorization code for the CSR:
Enter authorization code:
Enter the authorization code you recorded earlier.
You are prompted to enter a file name for the certificate:
Enter certificate file to create:
Enter the full path and file name for the certificate file.
You are prompted to enter the certificate definition required for the certificate:
Enter certificate definition required [Verification]:
Enter the certificate definition required for the certificate, such as Verification or Dual Usage.
The Profile Creation Utility processes the certificate. If the operation is successful, Security Manager issues a certificate and the Profile Creation Utility writes the certificate to a file.
Requesting certificate from Security Manager...
Obtained
new
certificate with serial number
1340207625
from issuer o=Example,c=US
Certificate written to c:\new_certificate.cer
After processing the CSR and obtaining the certificate, proceed to Installing the Active Directory server certificate.