You can process the CSR for the Web server certificate using the Profile Creation Utility. The Profile Creation Utility is a command line utility that can create and manage Entrust profiles for an on-premises Security Manager CA. You can use the Profile Creation Utility to process Certificate Signing Requests (CSRs) and generate certificates. The Profile Creation Utility is available as a separate software download for Entrust CA Gateway.

When processing a CSR, the Profile Creation Utility will prompt you for the certificate definition required for the certificate. In Security Manager, that certificate definition for the user's certificate type must be assigned a certificate definition policy (user policy). If no certificate definition policy is assigned to the certificate definition you specify, an error will occur and the Profile Creation Utility will fail to process the CSR.

To download and install the Profile Creation Utility

  1. Install a Java Development Kit (JDK) and set the JAVA_HOME environment variable.
  2. Log in to Entrust TrustedCare (http://trustedcare.entrust.com).
  3. Go to PKI > Authority >CA Gateway and click the latest version of the product.
  4. Under software downloads, download the Profile Creation Utility for your preferred operating system:
    • cagw-profilecreationutility-linux64-version.zip for Linux 64-bit.
    • cagw-profilecreationutility-win64-version.zip for Windows 64-bit.
  5. Extract the file contents of the ZIP file to a location on the computer.

To process the CSR using the Process Creation Utility

  1. Obtain the CSR file along with the reference number and authorization code associated with the Security Manager user account.
    When you create a user in Security Manager or set a user for key recovery, Security Manager generates a reference number and authorization code. You need these activation codes to process the CSR.

  2. To process the CSR, the Profile Creation Utility requires an Entrust desktop profile (EPF file). The role associated with the profile requires the following permissions:

    • Under the Certificates permission category: permissions to administer the certificate category and certificate type of the certificate being issued.

    • Under the Groups permission category: View and permission to administer the group associated with the Security Manager user being issued the certificate.

    • Under the Roles permission category: View and permission to administer the role associated with the Security Manager user being issued the certificate.

    • Under the Searchbase permission category: View and permission to administer the searchbase associated with the Security Manager user being issued the certificate.

    • Under the Users permission category: View and Perform PKIX requests. Obtain the Entrust desktop profile (EPF file) from a Security Manager administrator.

  3. Navigate to the directory containing the Profile Creation Utility.
  4. Run the following command:
    • On Windows, run pcu.bat.
    • On Linux, run pcu.

  5. The Profile Creation Utility main menu appears:

    Main Menu
    1. Exit
    2. Help
    3. Create Entrust profile
    4. Recover Entrust profile
    5. Inspect Entrust profile (read only)
    6. Inspect and update Entrust profile (read/write)
    7. Create Server Login credentials
    8. Create PKCS #12 file (Security Manager)
    9. Recover PKCS #12 file (Security Manager)
    10. Create PKCS #12 file (3rdParty)
    11. Update PKCS #12 file (3rdParty)
    12. Process PKCS #10 Certificate Signing Request (CSR)
    13. Generate/Process Certificate Signing Request on HSM (3rdParty)
    14. Change password
    Select an operation [3]:

    To return to the main menu at any time, enter a period (.). For help about using the Profile Creating Utility, enter 2 in the main menu.

    Enter 12 to process the CSR.

  6. The following prompt appears: 

    Take settings from an existing entrust.ini file (y/n) [y]:

    • To use Certificate Authority (CA) connection settings from an existing entrust.ini file, enter y.

    • To provide CA connection settings manually, enter n.

  7. If you chose to use an existing entrust.ini file, you are prompted to enter the full path to the entrust.ini file: 

    Enter full path to entrust.ini file:

    Enter the full path and file name of the entrust.ini file.

  8. If you chose to enter CA connections setting manually, the following prompts appear:

    1. You are prompted to provide the host name (or IP address) and port of the CA server:

      Enter the CA hostname or IP address and port in the form name:port:

      Enter the host name (or IPv4 address) and CMP port of the server hosting the CA in format of <hostname>:<port>. If you omit the port number, it defaults to 829.

    2. You are prompted to provide the host name (or IP address) and port of the directory server: 

      Enter the directory hostname or IP address and port in the form name:port:

      Enter the host name (or IPv4 address) and LDAP port of the server hosting the directory in format of <hostname>:<port>. The name or address defaults to the same value that you entered for the CA address If you omit the port number, it defaults to 389.

  9. You are prompted for the full path to an administration profile:

    Enter full path to administration profile:

    Enter the full path and file name of an administration profile.

  10. You are prompted to enter the profile password: 

    Enter profile password:

    Enter the profile password.

  11. You are asked if the CSR is authenticated:

    Is the CSR authenticated? (y/n)? [n]:

    Enter n. The CSR is not authenticated.

  12. You are prompted for the full path to the CSR:

    Enter full path to CSR:

    Enter the full path and file name of the CSR.

  13. You are prompted to enter the reference number for the CSR:

    Enter reference number:

    Enter the reference number you recorded earlier.

  14. You are prompted to enter the authorization code for the CSR:

    Enter authorization code:

     Enter the authorization code you recorded earlier.

  15. You are prompted to enter a file name for the certificate:

    Enter certificate file to create:

     Enter the full path and file name for the certificate file.

  16. You are prompted to enter the certificate definition required for the certificate:

    Enter certificate definition required [Verification]:

     Enter the certificate definition required for the certificate, such as Verification or Dual Usage.

  17. The Profile Creation Utility processes the certificate. If the operation is successful, Security Manager issues a certificate and the Profile Creation Utility writes the certificate to a file. 

    Requesting certificate from Security Manager...
    Obtained new certificate with serial number 1340207625 from issuer o=Example,c=US
    Certificate written to c:\new_certificate.cer

After processing the CSR and obtaining the certificate, proceed to Installing the Web server certificate into Microsoft IIS.