Under properties, configure the following Entrust Certificate Authority-specific settings.
- admin-epf
- admin-epf-data
- admin-epf-password
- admin-p11-apf
- admin-p11-library
- admin-p11-password
- admin-p11-slot
- allow-full-pkup
- include-niche-cert-types
- ldap-ca-cert
- ldap-cert
- ldap-credential
- ldap-host
- ldap-port
- ldap-principal
- ldaps-port
- oid.<oidName>
- pkix-port
- sm-host
- xap-connections-idle-timeout
- xap-connections-init
- xap-connections-max
- xap-connections-socket-timeout
- xap-debug
- xap-debug-level
- xap-debug-log-file
- xap-port
admin-epf
The path of the administrator's Entrust Profile File (EPF) for connecting to the Entrust Certificate Authority instance.
See Configuring CA Gateway for how to reference file paths.
Mandatory: When saving the user settings in an Entrust Profile File (EPF).
admin-epf-data
The administrator's Entrust Profile File (EPF), as Base64 text.
Mandatory: When saving the administrator's settings in an Entrust Profile File (EPF).
This setting takes preference over admin-epf.
admin-epf-password
The password for decrypting the administrator's Entrust Profile File (EPF).
Mandatory: When saving the administrator's settings in an EPF.
admin-p11-apf
The path of the APF (Auxiliary Profile File).
See Configuring CA Gateway for how to reference file paths.
Mandatory: When saving the user settings in a PKCS #11 hardware security module (HSM) and archiving old private keys locally (to make them available for other purposes).
admin-p11-library
The full path of the PKCS#11 native library.
Mandatory: When saving the user settings in a PKCS #11 hardware security module (HSM).
admin-p11-password
The PKCS#11 user PIN to log in to the PKCS#11 slot.
Mandatory: When saving the user settings in a PKCS #11 hardware security module (HSM).
admin-p11-slot
The slot number of the PKCS#11 slot.
Mandatory: When saving the user settings in a PKCS #11 hardware security module (HSM).
allow-full-pkup
The value of the PrivateKeyUsagePeriod extension in certificates issued by Entrust Certificate Authority when the request:
- Includes the
optionalCertificateRequestDetails.validityPeriodfield, and - Does not include the
optionalCertificateRequestDetails.privateKeyUsagePercentagefield.
See below for the values supported by this setting.
apply-full-pkup | PrivateKeyUsagePeriod |
|---|---|
true | The 100% of the |
false | Set by the CA. |
As explained in RFC2459, the PrivateKeyUsagePeriod extension "allows the certificate issuer to specify a different validity period for the private key than the certificate".
Mandatory: No. This optional value defaults to true.
include-niche-cert-types
true to expose certificate types relating to ePassport applications and legacy software, false otherwise.
Mandatory: No. This optional parameter defaults to false.
ldap-ca-cert
The PEM encoding of the root CA certificate for validating the LDAPS certificate.
- Add the encoding of a single certificate.
- Configure also the
ldap-certparameter if a subordinate CA issued the LDAPS certificate.
Mandatory; When the Java truststore cannot validate the LDAPS certificate.
ldap-cert
The PEM-encoded certificate of the subordinate CA that issued the LDAPS certificate.
- Add the encoding of a single certificate.
- Omit this parameter if the LDAPS certificate was issued by the root CA selected with the
ldap-ca-certparameter.
Mandatory; When a subordinate CA issued the LDAPS certificate, and the Java truststore cannot validate the certificate.
ldap-credential
The password of the LDAP user. Save this property in secure storage such as Vault rather than directly in a configuration file.
Mandatory: Yes
ldap-host
The hostname of the directory instance.
Mandatory: Yes.
ldap-port
The port number for LDAP connections with the Entrust Certificate Authority directory (for LDAPS connections, configure ldaps-port instead).
This value is typically 389, the well-known port for LDAP.
Mandatory: When using an LDAP connection.
ldap-principal
The name of the LDAP user for logging in to the directory. Save this property in secure storage such as Vault rather than directly in a configuration file.
Mandatory: Yes
ldaps-port
The port number for LDAPS connections with the Entrust Certificate Authority (for LDAP connections, configure ldap-port instead).
This value is typically 636, the well-known port for LDAPS.
Mandatory: When using an LDAPS connection.
oid.<oidName>
The attribute with the <oidName> OID. This property allows CA Gateway clients to request non-standard Subject DN attributes. For example:
oid.jurisdictionOfIncorporationLocalityName: 1.3.6.1.4.1.311.60.2.1.1Where 1.3.6.1.4.1.311.60.2.1.1 is the jurisdictionOfIncorporationLocalityName numerical value.
Entrust Certificate Authority also requires configuring the OIDs in the CA configuration:
- Edit the
manager/entrust.inifile. - Add entries for each OID under both the
[OIDTable]and[X500AttrSyntax]sections.
For example:
[OIDTable]jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1[X500AttrSyntax]jurisdictionOfIncorporationLocalityName=caseIgnoreStringSyntaxSee the Entrust CA Operations Guide for further detail.
Mandatory : No.
pkix-port
The PKIX-CMP port number of the Entrust Certificate Authority instance
Mandatory: Yes
sm-host
The hostname of the Entrust Certificate Authority instance.
Mandatory: Yes
xap-connections-idle-timeout
The idle timeout of the Entrust Certificate Authority XAP connection, in seconds.
Mandatory: No. This optional parameter defaults to 30 seconds.
xap-connections-init
The initial number of XAP connections to the Entrust Certificate Authority.
Mandatory: No. This optional parameter defaults to 20 connections.
xap-connections-max
The maximum number of XAP connections to the Entrust Certificate Authority.
Mandatory: No. This optional parameter defaults to 20 connections.
xap-connections-socket-timeout
The socket timeout of the Entrust Certificate Authority XAP connection, in seconds.
Mandatory: No. This optional parameter defaults to 60 seconds.
xap-debug
true for logging the XAP debugging to file; false otherwise.
Mandatory: No. This optional parameter defaults to false.
xap-debug-level
The full path of the XAP debug log file.
Mandatory: Only when xap-debug is true.
xap-debug-log-file
The full path of the XAP debug log file.
Mandatory: Only when xap-debug is true.
xap-port
The XAP port number of the Entrust Certificate Authority instance.
Mandatory: Yes.