Create a certificate type for the administrator profile that CA Gateway will use to connect and perform operations with Entrust Certificate Authority.

Skip this section if you are using Post-Quantum Cryptography (PQC) algorithms: ML-DSA algorithms for signing/verification and ML-KEM algorithms for encryption/decryption. For PQC algorithms, the CA includes a predefined Admin Services User Management (3-key-pair) (ent_as_ums_3kp) certificate type that you can use for the administrator profile. This certificate type contains three certificate definitions: Encryption, Verification, and TlsVerification. The TlsVerification certificate definition policy should use an RSA-4096 algorithm for TLS client authentication.

To create a certificate type for the administrator profile

  1. Export the certificate specifications from the Entrust Certificate Authority:
    1. Log in to Entrust Certificate Authority Administration for the CA.
    2. Select File > Certificate Specifications > Export.
    3. Save the file to a location on the computer.
  2. Open the certificate specifications file in a text editor.

  3. Add the following to the [Certificate Types] section:

    ent_cagwxap_rsa1=enterprise,CAGW Admin,CA Gateway XAP Administrator

  4. Add the following to the [Extension Definitions] section:

    [ent_cagwxap_rsa1 Certificate Definitions]
    1=Dual Usage; Single key dual usage key pair Certificate Type
    [ent_cagwxap_rsa1 Dual Usage Extensions]
    keyusage=2.5.29.15,c,m,BitString,101; digitalSignature(0) and keyEncipherment(2)
    ; Encodes the entAdminServicesClients policy OID (2.16.840.1.114027.10.4)
    certificatepolicies=2.5.29.32,n,o,DER,300D300B06096086480186FA6B0A04
  5. Save and close the file.
  6. Import the certificate specifications back into the Entrust Certificate Authority:
    1. Log in to Entrust Certificate Authority Administration for the CA.
    2. Selecting File > Certificate Specifications > Import.
    3. Select the file you edited earlier.