When deploying or redeploying Certificate Enrollment Gateway, CSP 1.0.0 will display a list of local test commands and enrollment URLs for Certificate Enrollment Gateway.
ACMEv2 enrollment URL
ACMEv2 clients must use the following URL to communicate with Certificate Enrollment Gateway:
https://<CEG-server>/acme/<tenant-ID>/<CA-ID>/<profile-ID>/directory
Where:
<CEG-server>
is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>
is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>
is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the ACMEv2 endpoint.<profile-ID>
is the profile ID defined in CA Gateway that defines the certificate type issued to the ACMEv2 client. For Entrust PKI as a Service, the profile ID is one of the following- privatessl-tls-client-server
- privatessl-tls-server
- privatessl-tls-client.
For example:
https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directory
Intune-SCEP enrollment URL
Microsoft Intune must be configured to use one of the following URLs to communicate with Certificate Enrollment Gateway:
The following Intune-SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http
instead of https
.
http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/
https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/
Where:
<CEG-server>
is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>
is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>
is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.<profile-ID>
is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:- intune-digital-signature-key-encipherment
- intune-digital-signature
- intune-key-encipherment
- intune-non-repudiation
For example:
http://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/
https://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/
MDM-SCEP enrollment URL
MDM-SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:
To support macOS (Apple) devices, the URL must start with http
instead of https
.
http://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdm
https://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdm
Where:
<CEG-server>
is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>
is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<digitalid-config>
is a digital ID configuration defined in the CEG Service.
For example:
http://cegserver.example.com/scep/tenant1/digitalid-config1/mdm
https://cegserver.example.com/scep/tenant1/digitalid-config1/mdm
MDMWS enrollment URL
Mobile Device Management products must use the following URL to communicate with Certificate Enrollment Gateway:
https://<CEG-server>/mdm/services/<tenant-ID>
Where:
<CEG-server>
is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>
is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
For example:
https://cegserver.example.com/mdm/services/tenant1
SCEP enrollment URL
SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:
The following SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http
instead of https
.
http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/
https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/
Where:
<CEG-server>
is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>
is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>
is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.<profile-ID>
is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:- scep-digital-signature-key-encipherment
- scep-digital-signature
- scep-key-encipherment
- scep-non-repudiation
For example:
http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/
https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/
Some SCEP clients will append an additional parameter to all SCEP URLs. For these clients, you must append nop/
to the SCEP URL. For example:
http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/
https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/
WSTEP enrollment URL
For WSTEP enrollment, the enrollment service in Active Directory must use the following URL to communicate with Certificate Enrollment Gateway:
https://<CEG-server>:443/wstep/<auth>/services/<tenant-ID>/<CA-ID>
Where:
<CEG-server>
is the hostname or IP address of the Certificate Enrollment Gateway server.<auth>
is the authentication method, eitherusertoken
for user name and password authentication orkerberos
for Kerberos (Windows integrated) authentication.<tenant-ID>
is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>
is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.
For example, when authenticating with a user name and password:
https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1
For example, when authenticating with Kerberos:
https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1