When deploying or redeploying Certificate Enrollment Gateway, CSP 1.0.0 will display a list of local test commands and enrollment URLs for Certificate Enrollment Gateway.

ACMEv2 enrollment URL

ACMEv2 clients must use the following URL to communicate with Certificate Enrollment Gateway:

https://<CEG-server>/acme/<tenant-ID>/<CA-ID>/<profile-ID>/directory

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the ACMEv2 endpoint.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the ACMEv2 client. For Entrust PKI as a Service, the profile ID is one of the following
    • privatessl-tls-client-server 
    • privatessl-tls-server
    • privatessl-tls-client.

For example:

https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directory

Intune-SCEP enrollment URL

Microsoft Intune must be configured to use one of the following URLs to communicate with Certificate Enrollment Gateway:

The following Intune-SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/
https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:
    • intune-digital-signature-key-encipherment
    • intune-digital-signature
    • intune-key-encipherment
    • intune-non-repudiation

For example:

http://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/
https://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/

MDM-SCEP enrollment URL

MDM-SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:

To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdm
https://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdm

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <digitalid-config> is a digital ID configuration defined in the CEG Service.

For example:

http://cegserver.example.com/scep/tenant1/digitalid-config1/mdm
https://cegserver.example.com/scep/tenant1/digitalid-config1/mdm

MDMWS enrollment URL

Mobile Device Management products must use the following URL to communicate with Certificate Enrollment Gateway:

https://<CEG-server>/mdm/services/<tenant-ID>

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.

For example:

https://cegserver.example.com/mdm/services/tenant1

SCEP enrollment URL

SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:

The following SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/
https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:
    • scep-digital-signature-key-encipherment
    • scep-digital-signature
    • scep-key-encipherment
    • scep-non-repudiation

For example:

http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/
https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/

Some SCEP clients will append an additional parameter to all SCEP URLs. For these clients, you must append nop/ to the SCEP URL. For example:

http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/
https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/

WSTEP enrollment URL

For WSTEP enrollment, the enrollment service in Active Directory must use the following URL to communicate with Certificate Enrollment Gateway:

https://<CEG-server>:443/wstep/<auth>/services/<tenant-ID>/<CA-ID>

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <auth> is the authentication method, either usertoken for user name and password authentication or kerberos for Kerberos (Windows integrated) authentication.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

For example, when authenticating with a user name and password:

https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

For example, when authenticating with Kerberos:

https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1