For CMPv2 enrollment, CA Gateway requires a truststore containing all the CA certificates required to verify CMP messages. The truststore must contain the CA certificate chain for all certificates used by CMPv2 devices, including certificates that will be issued by Entrust Managed CAs and any pre-installed vendor certificates issued by third-party CAs.

You must configure CA Gateway to use this truststore to validate CMP messages sent from CMPv2 devices. Under Cmpv2, the Truststore section specifies the truststore settings for CMPv2 enrollment.

• If CMPv2 devices will be authenticating with an expired vendor certificate for the initial enrollment, set Allow Expired Vendor Certificate to True to allow the CMPv2 device to enroll with the expired vendor certificate.
• The Alias section must specify the list of aliases for all CA certificates in the truststore. For each CA certificate:
  • The Alias setting must specify the alias of the CA certificate in the truststore.
  • The DN setting must specify the distinguished name (DN) of the CA certificate.
  • For third-party certificates, you may want to disable CRL checking if the CA or CRL is no longer available. To disable CRL checking for a certificate, set Enable revocation checks on issued certificates to False.