Entrust PKIaaS uses the following profiles for root CAs, issuing CAs, and VA (OCSP).

These profiles are not exposed nor configurable. External root CAs are not covered by this profile.

See below a description of these profiles.

Key and signature algorithms

All the PKIaaS CA & VA profiles support the following key and signature algorithms.

Certificate fields

The PKIaaS CA & VA profiles set the following certificate fields.

Field	basic-ca-root	basic-ca-subord	basic-ocsp
Issuer	Self-signed	Customer's online root CA	Customer's online root/issuing CA
Subject	No constraint	No constraint	No constraint
Validity period	Less than or equal to 20 years	Less than or equal to 10 years. The subordinate expiry cannot exceed the root validity.	30 days

The PKIaaS CA & VA profiles set the following certificate critical extensions.

Extension	basic-ca-root	basic-ca-subord	basic-ocsp
Basic Constraints	cA=True	cA=True, pathLenConstraint=0	cA = False
Extended Key Usage	Never present	Never present	OCSP Signing
Key Usage	digitalSignature, keyCertSign, cRLSign	digitalSignature, keyCertSign, cRLSign	digitalSignature, keyCertSign, cRLSign

The PKIaaS CA & VA profiles set the following non-critical certificate extensions.

Extension	basic-ca-root	basic-ca-subord	basic-ocsp
AIA	Never present	Supplied when the customer enables OCSP on CA creation	Always present
Authority Key Identifier	Never present	Matches subjectKeyIdentifier of the signing certificate	Matches subjectKeyIdentifier of the signing certificate
CRL Distribution Points	Never present (not applicable)	Always present	Always present
OCSP	Never present	Never present	No check
Subject Key Identifier	«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2	«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2	«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2