When using CA Gateway as the source of certificate information, perform the steps below for Validation Authority to authenticate on CA Gateway.
See Backfilling for considerations on Entrust Certificate Authority sources.
Generating the CA Gateway client PKCS #12
Use your CA to generate a PKCS #12 containing:
- A TLS client certificate for Validation Authority to authenticate on CA Gateway.
- The private key of the certificate.
The PKCS #12 cannot contain more than one client certificate.
To generate the PKCS #12 with Entrust Certificate Authority:
- Select the 1-Key-Pair User (1-Key-Pair User with Dual Usage Key) certificate type to generate a PKCS #12 with a single client certificate.
- Check the Export PKCS #12 and All exportable options so the user can export the generated PKCS #12.
See the Entrust Certificate Authority documentation for more detailed information.
Configuring the client PKCS #12 in CA Gateway
Configure the CA Gateway client PKCS #12 in CA Gateway.
To configure the client PKCS #12 in CA Gateway
- Access the CA Gateway configuration page as explained in Configuring and deploying CA Gateway.
- Select the Server tab.
- Click Select Files under Trust Store and upload a PKCS #12 file containing:
- The CA certificates already included in the previous Trust Store (if any).
- The certificate of the CA that issued the CA Gateway client PKCS #12.
- Select the Clients tab.
- In the Subject DN settings of a client, enter the distinguished name (DN) of the CA Gateway client certificate.
- Make the changes effective and redeploy CA Gateway.
Importing the CA Gateway client PKCS #12 in Validation Authority
Run the evactl import-p12 command to import the CA Gateway client PKCS #12 – for example:
$ sudo evactl import-p12 -f eva-cagw.p12