Under properties, configure the following Sectigo CA-specific settings.
See Configuring CA Gateway for how to reference file paths.
Sectigo settings
Configure the following mandatory Sectigo settings.
Setting | Value |
|---|---|
customer-uri | The customer identifier provided by Sectigo |
org-id | The organization identifier provided by Sectigo |
url | The URL of the Sectigo API |
Authentication settings
CA Gateway supports the following modes to authenticate in the Sectigo API.
- Password (recommended)
- Key store
- API key (future releases)
See below for the settings each mode requires.
Setting | Value | Password | Key store |
|---|---|---|---|
login | A Sectigo login name for a user with the privileges described in Setting Sectigo permissions for API login |
|
|
login-password | The password of the selected Sectigo login name |
| |
client-cert-key-store | The path of the client trust store described in Creating a Sectigo client key store |
| |
client-cert-key-alias | The alias of the client key in the client trust store |
| |
client-cert-key-store-password | The password of the client trust store |
| |
client-cert-key-store-type | The type of client trust store. Supported values are |
|
SSL settings
Configure the following mandatory SSL settings to connect with the Sectigo API.
Setting | Value |
|---|---|
ssl-trust-store | The path of the trust store described in Creating the Sectigo SSL credentials trust store |
ssl-trust-store-password | The password of the trust store |
ssl-truststore-type | The type of CA Gateway trust store. Supported values are |
Enrollment settings
The following settings control the enrollment requests.
Key | Value | Default |
|---|---|---|
enroll-back-off-timer | The starting back-off period for certificate retrieval | 2 sec |
enroll-max-back-off-timer | The maximum back-off period before the next certificate retrieval attempt | 32 sec |
enroll-max-attempts | The maximum number of certificate retrieval attempts | 5 |
After submitting an enrollment, CA Gateway waits for the following period.
min(enroll-back-off-timer^attempt, enroll-max-back-off-timer)Where the attempt value:
- Starts at 1 on the first enrollment attempt.
- Is increased by 1 after each retrieval attempt, until reaching the
enroll-max-attemptsvalue.
CA Gateway responds with the following HTTP codes to the client enrollment requests.
Code | Description |
|---|---|
HTTP 200 | The certificate has been retrieved on time |
HTTP 202 | The request has been processed, but CA Gateway has exceeded the |
HTTP 404 | Any other failure |
When receiving a HTTP 202 response, you can:
- Look up the certificate using the
{caId}Certificate Authority identifier and the{dn}Distinguished Name./v1/certificate-authorities/{caId}/subjects/{dn} - Ascertain the serial number from the response.
- Look up the certificate using the
{sn}serial number./v1/certificate-authorities/{caId}/certificates/{sn}
Proxy settings
Configure the following settings if traffic to the CA server passes through a proxy.
The proxy configured using these settings is part of your corporate infrastructure; it is not an Entrust product.
setting | Value |
|---|---|
proxy-host-name | The hostname of the proxy for accessing the CA server. |
proxy-port | The port for accessing the proxy |
proxy-username | The username for authenticating in the proxy (if required) |
proxy-password | The password for authenticating in the proxy (if required) |