Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:

The following SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/

https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/

Where:

<CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
<tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
<CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.
<profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:
- scep-digital-signature-key-encipherment
- scep-digital-signature
- scep-key-encipherment
- scep-non-repudiation

For example:

http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/

https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/

Some SCEP clients will append an additional parameter to all SCEP URLs. For these clients, you must append nop/ to the SCEP URL. For example:

http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/

https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/