Entrust provides the following MDMWS (Mobile Device Management Web Service) certificate profiles.

  • mdmws-digital-signature
  • mdmws-digital-signature-key-encipherment
  • mdmws-digital-signature-key-encipherment-clientauth
  • mdmws-key-encipherment
  • mdmws-non-repudiation
  • mdmws-p12-digital-signature
  • mdmws-p12-digital-signature-key-encipherment
  • mdmws-p12-digital-signature-key-encipherment-clientauth
  • mdmws-p12-key-encipherment
  • mdmws-p12-non-repudiation

These profiles support the following features.

MDMWS use cases

All MDMWS profiles support the following use cases.

  • ECS Enterprise UI
  • CA Gateway API
  • Entrust-hosted Enrollment Gateway
  • On-prem Enrollment Gateway

MDMWS issuance modes and key usages

MDMWS profiles support the following issuance modes:

  • Issue the certificate from a CSR.
  • Issue the certificate and an RSA2048 private key in a P12 file.

See below the issuance mode, Key Usage, and Extended Key Usage (EKU) values each MDMWSprofile supports.

Profile

CSR

P12

Key Usage

Extended Key Usage

Allows Extended Key Usage in request

mdmws-digital-signature

(tick)

(error)

Digital Signature

No constraints

(tick)

mdmws-digital-signature-key-encipherment

(tick)

(error)

Digital Signature, Key Encipherment

No constraints

(tick)

mdmws-digital-signature-key-encipherment-clientauth

(tick)

(error)

Digital Signature, Key Encipherment

TLS client authentication (1.3.6.1.5.5.7.3.2)

(error)

mdmws-key-encipherment

(tick)

(error)

Key Encipherment

No constraints

(tick)

mdmws-non-repudiation

(tick)

(error)

Digital Signature, Non-Repudiation

No constraints

(tick)

mdmws-p12-digital-signature

(tick)

(tick)

Digital Signature

No constraints

(tick)

mdmws-p12-digital-signature-key-encipherment

(tick)

(tick)

Digital Signature, Key Encipherment

No constraints

(tick)

mdmws-p12-digital-signature-key-encipherment-clientauth

(tick)

(tick)

Digital Signature, Key Encipherment

TLS client authentication (1.3.6.1.5.5.7.3.2)

(error)

mdmws-p12-key-encipherment

(tick)

(tick)

Key Encipherment

No constraints

(tick)

mdmws-p12-non-repudiation

(tick)

(tick)

Digital Signature, Non-Repudiation

No constraints

(tick)

MDMWS request extensions

All MDMWS profiles support the following non-critical extensions in request.

Extension name

Extension OID

Certificate Policies

2.5.29.32

Application Policies

1.3.6.1.4.1.311.21.10

Smime Capabilities

1.2.840.113549.1.9.15

MSTemplateOID

1.3.6.1.4.1.311.21.7

MSTemplateName

1.3.6.1.4.1.311.20.2

szOID_NTDS_CA_SECURITY_EXT

1.3.6.1.4.1.311.25.2

MDMWS certificate fields

All MDMWS profiles set the following certificate fields.

Field

Value

Issuer

Customer's subordinate issuing CA.

Subject

No constraint.

Validity period

Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

MDMWS certificate extensions

All MDMWS profiles set the following certificate extension values.

Extension

OID

CertificatePolicies

2.5.29.32

ApplicationPolicies

1.3.6.1.4.1.311.21.10

SmimeCapabilities

1.2.840.113549.1.9.15

MSTemplateOID

1.3.6.1.4.1.311.21.7

MSTemplateName

1.3.6.1.4.1.311.20.2

szOID_NTDS_CA_SECURITY_EXT

1.3.6.1.4.1.311.25.2

MDMWS algorithm constraints

All MDMWS profiles support the following key and signature algorithms.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

MDMWS distinguished names

Entrust has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias

OID

'CN' 'CommonName'

2.5.4.3

'SN' 'SurName'

2.5.4.4

'SERIALNUMBER' 'DeviceSerialNumber'

2.5.4.5

'C' 'Country'

2.5.4.6

'L' 'Locality'

2.5.4.7

'ST' 'S' 'State'

2.5.4.8

'STREET' 'StreetAddress'

2.5.4.9

'O' 'Org' 'Organization'

2.5.4.10

'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'

2.5.4.11

'T' 'Title'

2.5.4.12

'BUSINESSCATEGORY'

2.5.4.15

'POSTALCODE'

2.5.4.17

'givenName' 'G'

2.5.4.42

'I' 'Initials'

2.5.4.43

'ORGANIZATIONIDENTIFIER'

2.5.4.97

'UID'

0.9.2342.19200300.100.1.1

'DC' 'DomainComponent'

0.9.2342.19200300.100.1.25

'Email' 'E'

1.2.840.113549.1.9.1

'unstructuredName'

1.2.840.113549.1.9.2

'unstructuredAddress'

1.2.840.113549.1.9.8

'JurisdictionOfIncorporationLocalityName'

1.3.6.1.4.1.311.60.2.1.1

'JurisdictionOfIncorporationStateOrProvinceName'

1.3.6.1.4.1.311.60.2.1.2

'JurisdictionOfIncorporationCountryName'

1.3.6.1.4.1.311.60.2.1.3

'TrademarkOfficeName'

1.3.6.1.4.1.53087.1.2

'TrademarkCountryOrRegionName'

1.3.6.1.4.1.53087.1.3

'TrademarkRegistration'

1.3.6.1.4.1.53087.1.4

'LegalEntityIdentifier'

1.3.6.1.4.1.53087.1.5

'WordMark'

1.3.6.1.4.1.53087.1.6

'MarkType'

1.3.6.1.4.1.53087.1.13

'StatuteCountryName'

1.3.6.1.4.1.53087.3.2

'StatuteStateOrProvinceName'

1.3.6.1.4.1.53087.3.3

'StatuteLocalityName'

1.3.6.1.4.1.53087.3.4

'StatuteCitation'

1.3.6.1.4.1.53087.3.5

'StatuteURL'

1.3.6.1.4.1.53087.3.6