When deploying or redeploying Certificate Enrollment Gateway, CSP 1.1.0 will display a list of local test commands and enrollment URLs for Certificate Enrollment Gateway.

ACMEv2 enrollment URLs

ACMEv2 clients must use one of the following URLs to communicate with Certificate Enrollment Gateway.

Default ACMEv2 enrollment URL

When External Account Binding is disabled, all ACMEv2 clients must use the following URL:

https://<CEG-server>/acme/<tenant-ID>/<CA-ID>/<profile-ID>/directory

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certification Authority (CA) defined in CA Gateway that will issue certificates to the ACMEv2 endpoint.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the ACMEv2 client. For Entrust PKI as a Service, the profile ID is one of the following
    • privatessl-tls-client-server 
    • privatessl-tls-server
    • privatessl-tls-client.

For example:

https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directory

ACMEv2 Request URL for an External Account Binding credential

When External Account Binding is enabled, each External Account Binding credential will have its own URL. For example:

https://<hostname>/acme/ceg/Agu-fwShl2jDXsMYe4Ti3w/0mj615kbbkkb/directory

Where <hostname> is the hostname or IP address of the Certificate Enrollment Gateway server. For example: 

https://cegserver.example.com/acme/ceg/Agu-fwShl2jDXsMYe4Ti3w/0mj615kbbkkb/directory

CMPv2 enrollment URLs

CMPv2 clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:

The http URL only works if you configured the CMPv2 Service to allow HTTP connections.

https://<CEG-server>/cmpv2/<tenant-ID>/<CA-ID>/<profile-ID>/<spec-id>
http://<CEG-server>/cmpv2/<tenant-ID>/<CA-ID>/<profile-ID>/<spec-id>

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certification Authority (CA) defined in CA Gateway that will issue certificates to the CMPv2 client.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the CMPv2 client.
  • <spec-id> is a specification ID for CMPv2 that is defined in CA Gateway.

For example:

https://cegserver.example.com/cmpv2/tenant1/example_ca1/example-profile1/standard
http://cegserver.example.com/cmpv2/tenant1/example_ca1/example-profile1/standard

EST enrollment URLs

EST clients must use one of the following URLs to communicate with Certificate Enrollment Gateway.

When using the concatenated URL, the tenant ID, CA ID, and certificate profile ID cannot use underscores.

Default EST enrollment URL:

https://<CEG-server>:1443/.well-known/est/<tenant-ID>/<CA-ID>/<profile-ID>/

Concatenated EST enrollment URL:

https://<CEG-server>:1443/.well-known/est/<tenant-ID>_<CA-ID>_<profile-ID>/

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certification Authority (CA) defined in CA Gateway that will issue certificates to the EST client.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the EST client. For Entrust PKI as a Service, the profile ID is one of the following:
    • est-digital-signature-key-encipherment
    • est-digital-signature
    • est-key-encipherment
    • est-non-repudiation

For example:

https://cegserver.example.com/.well-known/est/tenant1/example-ca1/est-digital-signature/
https://cegserver.example.com/.well-known/est/tenant1_example-ca1_est-digital-signature/

Intune-SCEP enrollment URL

Microsoft Intune must be configured to use one of the following URLs to communicate with Certificate Enrollment Gateway:

The following Intune-SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/
https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:
    • intune-digital-signature-key-encipherment
    • intune-digital-signature
    • intune-key-encipherment
    • intune-non-repudiation

For example:

http://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/
https://cegserver.example.com/scep/tenant1/example_ca1/intune-digital-signature-key-encipherment/intune/

MDM-SCEP enrollment URL

MDM-SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:

To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdm
https://<CEG-server>/scep/<tenant-ID>/<digitalid-config>/mdm

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <digitalid-config> is a digital ID configuration defined in the CEG Service.

For example:

http://cegserver.example.com/scep/tenant1/digitalid-config1/mdm
https://cegserver.example.com/scep/tenant1/digitalid-config1/mdm

MDMWS enrollment URL

Mobile Device Management products must use the following URL to communicate with Certificate Enrollment Gateway:

https://<CEG-server>/mdm/services/<tenant-ID>

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.

  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.

For example:

https://cegserver.example.com/mdm/services/tenant1

SCEP enrollment URL

SCEP clients must use one of the following URLs to communicate with Certificate Enrollment Gateway:

The following SCEP enrollment URL requires the trailing forward slash (/). To support macOS (Apple) devices, the URL must start with http instead of https.

http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/
https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.
  • <profile-ID> is the profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:
    • scep-digital-signature-key-encipherment
    • scep-digital-signature
    • scep-key-encipherment
    • scep-non-repudiation

For example:

http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/
https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/

Some SCEP clients will append an additional parameter to all SCEP URLs. For these clients, you must append nop/ to the SCEP URL. For example:

http://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/
https://cegserver.example.com/scep/tenant1/example_ca1/scep-digital-signature/nop/

WSTEP enrollment URL

For WSTEP enrollment, the enrollment service in Active Directory must use the following URL to communicate with Certificate Enrollment Gateway:

https://<CEG-server>:443/wstep/<auth>/services/<tenant-ID>/<CA-ID>

Where:

  • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
  • <auth> is the authentication method, either usertoken for user name and password authentication or kerberos for Kerberos (Windows integrated) authentication.
  • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
  • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

For example, when authenticating with a user name and password:

https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

For example, when authenticating with Kerberos:

https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1