If you are using Certificate Enrollment Gateway with Entrust PKI as a Service, you can use native Linux tools to create a CSR (certificate signing request) for the Certificate Enrollment Gateway certificate, then process the CSR using Entrust PKI as a Service to create a certificate. 

Downloading the CA certificate chain from Entrust PKI as a Service

Cryptographic Security Platform 1.0.0 requires the full TLS certificate chain for the Certificate Enrollment Gateway certificate, from the TLS certificate up to the root CA. Download all CA certificates in the CA certificate chain from Entrust PKI as a Service, from the Issuing CA to the root CA.

To download CA certificates from Entrust PKI as a Service

  1. Log in the Entrust Certificate Services interface.
  2. Select Administration > PKIaaS Management.
    A list of private CAs appear.
  3. For each CA in the TLS certificate chain, from the Issuing CA to the Root CA:
    1. Select the CA.
    2. Click Download certificate.

Processing the CSR with Entrust PKI as a Service

After creating the certificate signing request (CSR) for the Certificate Enrollment Gateway certificate, you can submit the CSR to an Issuing CA in Entrust PKI as a Service. The Issuing CA will process the CSR and generate the certificate.

To submit the CSR to Entrust PKI as a Service and obtain the TLS certificate

  1. Log in the Entrust Certificate Services interface.
  2. Select Create > PKIaas.
    The Select Certificate Authority pane appears.
  3. From the Certificate Authority drop-down list, select the CA you want to issue the TLS certificate.
  4. From the Certificate Profile drop-down list, select the certificate profile you want to use for the TLS certificate. The certificate profile must include Digital Signature for TLS certificates.
  5. Click Next.
    The Certificate Details pane appears.
  6. In the Subject DN field, enter a value for the certificate's subject DN. The value should be the DNS name of the server hosting CSP 1.0.0 PKI – for example: 
    cn=example.com
  7. For Certificate Expiry, provide an expiry date for TLS certificate. It is recommended that the TLS certificate be valid for 1 year or less.
  8. Under Subject Alternative Names, add one or more DNS Name components to the Subject Alternative Name (subjectAltName) extension in the certificate. The subjectAltName extension must have a DNS Name component for each DNS name that may be used by the CSP 1.0.0 PKI cluster.
    To add a DNS Name component the Subject Alternative Name extension:
    1. For SAN type, select DNS Name.
    2. In the Value field, enter a DNS name that may be used by the server.
    3. Click Add to add the DNS Name component to the Subject Alternative Name extension.
      The component is added to the list of components in the Subject Alternative Name extension
    4. To remove a component from the Subject Alternative Name extension, click Remove next to the extension that you want to remove.
  9. Copy the contents of the CSR you generated earlier, and paste the contents into the Certificate Signing Request (CSR) text box.
  10. Click Submit.
    If the certificate is generated successfully, a success message appears.
  11. Click Download the newly created certificate to download the TLS certificate.