Click + ECS Properties to add the following settings.
api-key
The API key for consuming the ECS CA services. See the CA Gateway guide for how to obtain this key.
Mandatory: Yes.
ca.cert
The DER and Base64 encoding of the ECS issuing CA certificate. CA Gateway returns the selected certificate when querying the following resource with $field
set to ca.cert
.
GET /v1/certificate-authorities
You must statically configure this setting because the ECS public API does not yet allow querying certificates from the CA.
Mandatory: Yes.
ca.certchain.<i>
The DER and Base64 encoding of the certificate in the <i>
position of the ECS CA certificate chain. For example, the certificate specified with the ca.certchain.0
parameter is the certificate of the CA that issued the certificate specified with the ca.cert parameter.
CA Gateway returns the selected certificate when querying the following resource with $field
set to ca.chain
.
GET /v1/certificate-authorities
You must statically configure this setting because the ECS public API does not yet allow querying certificates from the CA.
Mandatory: Yes.
client-id-domains
The client identifier defined in ECS for all domain operations sent to the ECS API.
You must statically configure this setting because the ECS public API does not yet allow querying certificates from the CA.
Mandatory: No. This optional parameter defaults to 1.
ecs-url
Set this parameter to:
https://api.entrust.net/enterprise/v2
Mandatory: Yes.
enrollment-agent-p12
The SSL PKCS#12, as a file path or a Base64 encoding.
Mandatory: Yes.
enrollment-agent-p12-password
The password of the SSL PKCS#12.
Mandatory: Yes.
proxy-host-name
The hostname of the proxy for accessing the ECS CA server.
Mandatory: Only when traffic to the ECS CA server passes through a proxy.
proxy-password
The password for authenticating in the proxy server.
Mandatory: Only when the proxy requires authentication.
proxy-port
The port for accessing the proxy server.
Mandatory: Only when traffic to the ECS CA server passes through a proxy.
proxy-username
The username for authenticating in the proxy server.
Mandatory: Only when the proxy requires authentication.
rdn-corrections.<i>.rep
A distinguished name (DN) attribute you want to rename using the rdn-corrections.<i>.rep-with parameter.
Specifically, some Entrust Certificate Services profiles may include legacy attribute names in the subject of the issued certificates. However, these attribute names may not be compatible with the industry-standard names used by some client applications.
Entrust Certificate Services legacy attribute name | Industry-accepted attribute name |
---|---|
jurisdictionOfIncorporationStateOrProvinceName | jurisdictionStateOrProv |
jurisdictionOfIncorporationCountryName | jurisdictionCountryName |
In this case, add the following lines to the CA Gateway configuration.
rdn-corrections.
0
.rep: jurisdictionCountryName
rdn-corrections.
0
.rep-with: jurisdictionOfIncorporationCountryName
rdn-corrections.
1
.rep: jurisdictionStateOrProvinceName
rdn-corrections.
1
.rep-with: jurisdictionOfIncorporationStateOrProvinceName
Before sending certificate renewal requests to Entrust Certificate Services, CA Gateway will apply this configuration and replace industry-compliant subject attributes with legacy ones.
CN=test.com, serialNumber=705421, businessCategory=Private Organization, O=Entrust Corporation, jurisdictionStateOrProv=Delaware, jurisdictionCountryName=US, L=Shakopee, ST=Minnesota
CN=test.com, serialNumber=705421, businessCategory=Private Organization, O=Entrust Corporation, jurisdictionOfIncorporationStateOrProvinceName=Delaware, jurisdictionOfIncorporationCountryName=US, L=Shakopee, ST=Minnesota
Mandatory: Only when renewing certificates with Entrust Certificate Services.
rdn-corrections.<i>.rep-with
A new name for the distinguished name (DN) attribute you selected with the rdn-corrections.<i>.rep parameter.
Mandatory: Only when renewing certificates with Entrust Certificate Services.
user-name
The API username for consuming the ECS CA services. See the CA Gateway guide for how to obtain this username.
Mandatory: Yes.