Click + ECS Properties to add the following settings.

api-key

The API key for consuming the ECS CA services. See the CA Gateway guide for how to obtain this key.

Mandatory: Yes.

ca.cert

The DER and Base64 encoding of the ECS issuing CA certificate. CA Gateway returns the selected certificate when querying the following resource with $field set to ca.cert.

GET /v1/certificate-authorities

You must statically configure this setting because the ECS public API does not yet allow querying certificates from the CA.

Mandatory: Yes.

ca.certchain.<i>

The DER and Base64 encoding of the certificate in the <i> position of the ECS CA certificate chain. For example, the certificate specified with the ca.certchain.0 parameter is the certificate of the CA that issued the certificate specified with the ca.cert parameter.

CA Gateway returns the selected certificate when querying the following resource with $field set to ca.chain.

GET /v1/certificate-authorities

You must statically configure this setting because the ECS public API does not yet allow querying certificates from the CA.

Mandatory: Yes.

client-id-domains

The client identifier defined in ECS for all domain operations sent to the ECS API.

You must statically configure this setting because the ECS public API does not yet allow querying certificates from the CA.

Mandatory: No. This optional parameter defaults to 1.

ecs-url

Set this parameter to:

https://api.entrust.net/enterprise/v2

Mandatory: Yes.

enrollment-agent-p12

The SSL PKCS#12, as a file path or a Base64 encoding.

Mandatory: Yes.

enrollment-agent-p12-password

The password of the SSL PKCS#12.

Mandatory: Yes.

proxy-host-name

The hostname of the proxy for accessing the ECS CA server.

Mandatory: Only when traffic to the ECS CA server passes through a proxy. 

proxy-password

The password for authenticating in the proxy server.

Mandatory: Only when the proxy requires authentication. 

proxy-port

The port for accessing the proxy server.

Mandatory: Only when traffic to the ECS CA server passes through a proxy.

proxy-username

The username for authenticating in the proxy server.

Mandatory: Only when the proxy requires authentication.

rdn-corrections.<i>.rep

A distinguished name (DN) attribute you want to rename using the rdn-corrections.<i>.rep-with parameter. 

Specifically, some Entrust Certificate Services profiles may include legacy attribute names in the subject of the issued certificates. However, these attribute names may not be compatible with the industry-standard names used by some client applications.

Entrust Certificate Services legacy attribute name

Industry-accepted attribute name

​jurisdictionOfIncorporationStateOrProvinceName

​jurisdictionStateOrProv

jurisdictionOfIncorporationCountryName 

jurisdictionCountryName

In this case, add the following lines to the CA Gateway configuration.

rdn-corrections.0.rep: jurisdictionCountryName
rdn-corrections.0.rep-with: jurisdictionOfIncorporationCountryName
rdn-corrections.1.rep: jurisdictionStateOrProvinceName
rdn-corrections.1.rep-with: jurisdictionOfIncorporationStateOrProvinceName

Before sending certificate renewal requests to Entrust Certificate Services, CA Gateway will apply this configuration and replace industry-compliant subject attributes with legacy ones.

Example of subject name with industry-compliant attribute names
CN=test.com, serialNumber=705421, businessCategory=Private Organization, O=Entrust Corporation, jurisdictionStateOrProv=Delaware, jurisdictionCountryName=US, L=Shakopee, ST=Minnesota
Example of subject name with Entrust Certificate Services legacy attribute names
CN=test.com, serialNumber=705421, businessCategory=Private Organization, O=Entrust Corporation, jurisdictionOfIncorporationStateOrProvinceName=Delaware, jurisdictionOfIncorporationCountryName=US, L=Shakopee, ST=Minnesota

Mandatory: Only when renewing certificates with Entrust Certificate Services.

rdn-corrections.<i>.rep-with

A new name for the distinguished name (DN) attribute you selected with the rdn-corrections.<i>.rep parameter.

Mandatory: Only when renewing certificates with Entrust Certificate Services.

user-name

The API username for consuming the ECS CA services. See the CA Gateway guide for how to obtain this username.

Mandatory: Yes.