Certificate profiles

PKIaaS certificate issuance is always in the context of a certificate profile. These profiles are defined within the PKIaaS service and referenced by name in the certificate issuance requests. As described in PKIaaS subscriber certificate profiles, Entrust tunes the profiles to specific use cases:

• ECS Enterprise UI

• CA Gateway API

• On-premises Certificate Enrollment Gateway (CEG).

Subscriber key algorithms

PKIaaS supports RSA and EC subscriber certificate key algorithms. PKIaaS is validated to sign certificates that use the following algorithms for their public key.

• ECDSA P-256

• ECDSA P-384

• ECDSA P-521

• RSA 2048

• RSA 3072

• RSA 4096

Validity period

The certificate validity period cannot go beyond the expiry date of the issuing CA. The validity period value defaults to 3 years if it is not specified in the request.

Enrollment by CSR

All certificate issuance requests are completed through CSR format. The calling application is responsible for the generation of the certificate's private key.

Subject Alt Names

Subject Alt Names (SANs) are supplied in the request separate from the CSR. API requests to PKIaaS support the "subjectAltNames" field of the request.

Some third-party services such as Venafi require to automatically supply SANs using the common names for TLS server certificates. To automatically supply SANs using common names, PKIaaS offers two certificate profiles under Private SSL (ACMEv2) certificate profiles .

• privatessl-tls-client-server-supply-san

• privatessl-tls-server-supply-san

Extensions

Certificate extensions are supplied in the request separate from the CSR. Use the following API field to supply extensions.

Proof of possession

The proof of possession check automatically validates that the caller has possession of the private key. The POP check is always performed during certificate request validation.