When deploying or redeploying Certificate Enrollment Gateway, CSP 1.0.0 will display a list of local test commands and enrollment URLs for Certificate Enrollment Gateway.
ACMEv2 enrollment URL
ACMEv2 clients must use the following URL to communicate with Certificate Enrollment Gateway:
https://<CEG-server>/acme/<tenant-ID>/<CA-ID>/<profile-ID>/directoryWhere:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the ACMEv2 endpoint.<profile-ID>is the profile ID defined in CA Gateway that defines the certificate type issued to the ACMEv2 client. For Entrust PKI as a Service, the profile ID is one of the following- privatessl-tls-client-server
- privatessl-tls-server
- privatessl-tls-client.
For example:
https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directoryIntune-SCEP enrollment URL
Microsoft Intune must be configured to use one of the following URLs to communicate with Certificate Enrollment Gateway:
The following Intune-SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.
http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/Where:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.<profile-ID>is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:- intune-digital-signature-key-encipherment
- intune-digital-signature
- intune-key-encipherment
- intune-non-repudiation
For example:
http://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/https://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/MDM-SCEP enrollment URL
MDM-SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:
To support macOS (Apple) devices, the URL must start with http instead of https.
http://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdmhttps://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdmWhere:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<digitalid-config>is a digital ID configuration defined in the CEG Service.
For example:
http://cegserver.example.com/scep/tenant1/digitalid-config1/mdmhttps://cegserver.example.com/scep/tenant1/digitalid-config1/mdmMDMWS enrollment URL
Mobile Device Management products must use the following URL to communicate with Certificate Enrollment Gateway:
https://<CEG-server>/mdm/services/<tenant-ID>Where:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
For example:
https://cegserver.example.com/mdm/services/tenant1SCEP enrollment URL
SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:
The following SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.
http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/Where:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.<profile-ID>is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:- scep-digital-signature-key-encipherment
- scep-digital-signature
- scep-key-encipherment
- scep-non-repudiation
For example:
http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/Some SCEP clients will append an additional parameter to all SCEP URLs. For these clients, you must append nop/ to the SCEP URL. For example:
http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/WSTEP enrollment URL
For WSTEP enrollment, the enrollment service in Active Directory must use the following URL to communicate with Certificate Enrollment Gateway:
https://<CEG-server>:443/wstep/<auth>/services/<tenant-ID>/<CA-ID>Where:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<auth>is the authentication method, eitherusertokenfor user name and password authentication orkerberosfor Kerberos (Windows integrated) authentication.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.
For example, when authenticating with a user name and password:
https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1For example, when authenticating with Kerberos:
https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1