Certificate Enrollment Gateway 2.1.2 adds the following features to the ones described in CSP Certificate Enrollment Gateway integration report

Support for storing Certificate Enrollment Gateway data in an external database (CEG-3311)

Previously, Certificate Enrollment Gateway used the internal database in Entrust Deployment Manager (Hibernate HSQLDB) to store data. Starting in this release, Certificate Enrollment Gateway supports storing data in an external database.

Using an external database allows Certificate Enrollment Gateway to quickly fail over to another node in a high availability cluster. Using an external database is required for the ACMEv2 and MDM protocols when deploying Certificate Enrollment Gateway in a high availability cluster.

The following databases are supported:

• Microsoft SQL Server
• PostgreSQL

For information about deploying an external database for Certificate Enrollment Gateway, see the Certificate Enrollment Gateway Deployment Guide.

You can configure Certificate Enrollment Gateway using the Deployment Manager Console. New database configuration settings have been added to the General tab. These settings configure connections to the database. For information about these new settings, see the Certificate Enrollment Gateway Deployment Guide.

Support for External Account Binding with ACMEv2 (CEG-2468, CEG-2247, CEG-972)

This release adds support for External Account Binding with ACMv2 enrollment. External Account Binding is supported only when Certificate Enrollment Gateway is using an external database for storing data. A new ACMEv2 setting Enable External Account Binding (Requires External Database) controls whether External Account Binding is enabled.

If External Account Binding is enabled, all ACMEv2 clients must use External Account Binding credentials. Each External Account Binding credential is assigned its own unique AMVEv2 URL. All ACMEv2 clients must enroll using an External Account Binding URL; the default ACMEv2 enrollment URL will not work when External Account Binding is enabled.

To support External Account Binding, this release introduces the EAB Utility. This utility allows you to add and manage External Account Binding credentials for ACME2 enrollment. The EAB Utility is available as a separate download package on Entrust TrustedCare.

Ability to bypass a proxy for some traffic (CEG-3372, CEG-3336)

By default, when an Entrust Deployment Manager or Cryptographic Security Platform cluster is configured to route traffic through a proxy, Certificate Enrollment Gateway routes all traffic through the proxy. When routing all traffic through a proxy, Certificate Enrollment Gateway may not be able to route back to an on-premises CA Gateway, or reach some external authentication providers such as Microsoft Intune servers.

Starting in this release, you can configure Certificate Enrollment Gateway to bypass the proxy for some traffic. To support this feature, the following configuration settings have been introduced:

• The general setting Bypass Global Proxy for CAGW/PKIaaS Traffic controls whether to bypass the proxy for all outgoing traffic to CA Gateway or Entrust PKI as a Service.
• The ACMEv2 setting Bypass Global Proxy for HTTP ACME Traffic controls whether to bypass the proxy for all outgoing HTTP traffic to ACMEv2 endpoints.
• The Intune setting Bypass Global Proxy for Intune Traffic controls whether to bypass the proxy for all outgoing HTTP traffic to Microsoft Intune servers.

These settings apply only when the Entrust Deployment Manager or Cryptographic Security Platform cluster has been configured to use a proxy. For more information about these settings, see the Certificate Enrollment Gateway Deployment Guide.