Under properties, configure the following Microsoft CA-specific settings.

ca-host

The CA hostname, as either:

  • An IP
  • A hostname
  • A FQDN

As long as it resolves from the DNS.

Mandatory: Yes.

ca-name

The CA name – for example:

abc-issuing

Mandatory: Yes.

ca-proxy-url

The URL of the Entrust Proxy for Microsoft CA, in the following format:

https://<server>:8443/MSCAProxy

Mandatory: Yes.

key-recovery-agent-p12-<i>

The path of the key PKCS#12 generated when creating the RA recovery agents (if any). Where <i> is an integer greater than or equal to 0.

Mandatory: Only when creating the RA recovery agents.

key-recovery-agent-p12-password-<i>

The password of the key recovery agent PKCS#12.

Mandatory: Only when creating the RA recovery agents.

ldap-host

The Microsoft Active Directory, as an IP, a hostname, or an FQDN (as long as it resolves from the DNS). The host must be in the ca-host domain because:

  • CA Gateway only talks to the Entrust Proxy for Microsoft CA.
  • The Entrust Proxy for Microsoft CA is on the CA's same domain and talks to the CA.

For example:

ca-host: msca.abccorp.dev.entrust.com
ca-name: abccorpsub
ldap-port: 389
ldap-host: dc.abccorp.dev.entrust.com

Mandatory: Yes.

ldap-port

The port number for LDAP connections with Microsoft Active Directory (for LDAPS connections, configure ldaps-port instead). 

The port is anonymously bound. The Microsoft CA proxy connects to Active Directory to get certificate template information.

This value is typically 389, the well-known port for LDAP.

Mandatory: When not configuring ldaps-port.

ldaps-port

The port number for LDAPS connections with Microsoft Active Directory (for LDAP connections, configure ldap-port instead). 

The port is anonymously bound. The Microsoft CA proxy connects to Active Directory to get certificate template information.

This value is typically 636, the well-known port for LDAPS.

Mandatory: When not configuring ldap-port.

proxy-host-name

The hostname of the proxy for accessing the CA server.

The proxy configured using this parameter is part of your corporate infrastructure; it is not an Entrust product. 

Mandatory: Only when traffic to the CA server passes through a proxy. 

proxy-password

The password for authenticating in the server proxy.

Mandatory: Only when the proxy requires authentication. 

proxy-port

 

The port for accessing the proxy.

Mandatory: Only when traffic to the CA server passes through a proxy.

proxy-ssl

Under this section, configure the following authentication settings.

Parameter

Description

Mandatory

​client-cert-key-alias

​The alias of the CA Gateway client key

(tick) 

client-cert-key-store

The filename of the CA Gateway client JKS

(tick) 

client-cert-key-store-password

The password of the CA Gateway client JKS

(tick) 

client-cert-key-store-type

Set this parameter to JKS

(tick) 

ssl-trust-store

The path of the CA Gateway trust store (See Configuring CA Gateway for how to reference file paths) 

(tick) 

ssl-trust-store-password

The password of the CA Gateway trust store.

(tick) 

ssl-trust-store-type

The type of CA Gateway trust store. Supported values are JKS and PKCS12.

(tick) 

proxy-username

The username for authenticating in the CA server proxy.

Mandatory: Only when the proxy requires authentication.