In CA Gateway, you must create profiles for each Managed CA that will issue certificates for WSTEP enrollment. Each profile must issue one of the WSTEP certificate types you added earlier to the Managed CA.

When adding these profiles to CA Gateway:

  • The values for the Certificate Type and Certificate Definition settings must match the values specified in the Managed CA.
  • The LDAP entry creation mode setting must be false.
  • The value for LDAP directory mode must be NO_OP.
  • The Subject Builder Requirements settings are supported when the Subject Builder Configuration settings are used.

  • The Subject Builder Configuration settings supported when Certificate Enrollment Gateway has mapped a Windows certificate template to the Profile ID.
    WSTEP requests to Certificate Enrollment Gateway will include Windows certificate template information. When configuring Certificate Enrollment Gateway, the WSTEP configuration setting Certificate Templates can map Windows certificate templates to Profile IDs in CA Gateway (see WSTEP).

    • If the certificate template is not mapped to a Profile ID, the Subject Builder Configuration settings are ignored.
    • If the certificate template is mapped to the Profile ID and the Subject Builder Configuration settings are configured:
    • If the certificate template is mapped to the Profile ID and the Subject Builder Configuration settings are not configured:
      • For machines, the subject of the issued certificate will be either CN=<Common Name> or CN=<DNS name>.
      • For users, the subject of the issued certificate will be CN=<Common Name>.