For all SCEP-related protocols (SCEP, MDM-SCEP, and Intune-SCEP), Certificate Enrollment Gateway uses RA certificates to sign and encrypt SCEP PKI messages. In Entrust CA Gateway, for each Managed CA that will issue certificates for all SCEP-related protocols, you must create a profile for issuing RA certificates.

All profiles used for RA certificates must allow for Dual Usage (both Digital Signature and Key Encipherment). It is recommended that you use a Dual Usage certificate type that you created earlier for a SCEP-related protocol. For example, for the SCEP and Intune-SCEP protocols, you can use the SCEP Signing and Encryption (ent_scep_sig_enc) certificate type you created earlier for the SCEP and Intune-SCEP protocols in Adding certificate types to Entrust Certificate Authority for SCEP and Intune-SCEP enrollment).

When adding a profile to CA Gateway for issuing RA certificates:

• The Subject Variable Requirements settings are not supported.
• The Subject Builder Configuration settings are not supported.
• The values for the Certificate Type and Certificate Definition settings must match the values specified in the Managed CA.
• The LDAP entry creation mode setting must be false.