Under profiles.<profile>, add a properties section with the following Microsoft CA-specific settings.
- cert-template
- enrollment-agent-p12
- enrollment-agent-p12-password
- key-client-generated
- ra-enroll-key-alias
- ra-enroll-key-password
- ra-enroll-key-store
- ra-enroll-key-store-password
- ra-enroll-key-store-provider
- ra-enroll-key-store-provider-config
- ra-enroll-key-store-type
- Supported file types
- Supported PKCS#11 types
CA Gateway logs a warning message when the profile definition does not meet the syntax described in the following sections.
cert-template
The Microsoft Certificate name. No spaces.
Mandatory: Yes.
enrollment-agent-p12
The filename of the PKCS#12 generated when creating RA enrollment agent credentials in a Key Store file.
Mandatory: Only when creating RA enrollment agent credentials in a Key Store file.
enrollment-agent-p12-password
The password of the PKCS#12 generated when creating RA enrollment agent credentials in a Key Store file.
Mandatory: Only when creating RA enrollment agent credentials in a Key Store file
key-client-generated
The client key generation mode.
Value | Key generation mode |
|---|---|
true | The client generates the key and provides a CSR for CA Gateway to return an X.509 certificate. |
false | CA Gateway returns a PKCS#12 containing the client's key and certificate. |
Mandatory: No. This optional parameter defaults to true.
ra-enroll-key-alias
The alias for accessing the enrollment agent's key in either:
- A key store file.
- An HSM slot. In this case, you can usually omit this value because most HSMs do not protect the slot objects with an additional password.
Mandatory: Yes.
ra-enroll-key-password
The password for accessing the enrollment agent's key in either:
- A key store file.
- An HSM slot. In this case, you can usually omit this value because most HSMs do not protect the slot objects with an additional password.
Mandatory: Yes.
ra-enroll-key-store
The path of the file generated when creating RA enrollment agent credentials in a Key Store file. Supported extensions for this file are:
- p12
- pfx
- kks
- jceks
Mandatory: Yes.
ra-enroll-key-store-password
The password of the key store containing the enrollment agent credential. Where the key store is either:
- A key store file.
- An HSM slot.
We recommend creating the enrollment agent credentials in a PKCS#11 HSM.
Mandatory: Yes.
ra-enroll-key-store-provider
The security provider of the key store. When creating RA enrollment agent credentials in a Key Store file, supported values are the following.
Value | Security provider |
|---|---|
SunJSSE | PKCS#12 and PFX |
SUN | JKS |
SunJCE | JCEKS |
When creating RA enrollment agent credentials in PKCS#11 HSM, supported values are the following.
Value | Security provider |
|---|---|
SunPKCS11 | nCipher |
LunaProvider | Luna |
CA Gateway tries loading the key store with any available security provider when this value is omitted or incorrect.
Mandatory: Yes.
ra-enroll-key-store-provider-config
The path of the SunPKCS11 configuration file described in the Thales Luna integration guide.
Mandatory: Yes.
ra-enroll-key-store-type
The type of key store.
Mandatory: Yes.
Supported file types
When creating the RA enrollment agent credentials in a Key Store file, supported values are:
- pkcs12
- Pfx
- Jks
- jceks
Supported PKCS#11 types
When creating RA enrollment agent credentials in PKCS#11 HSM, the supported value is pkcs11.