The TLS Proxy CA service provides provides a tlsproxy-ca-subord certificate profile for root Certificate Authorities.
Each external subordinate CA issued by a PKIaaS root CA only consumes one PKIaaS Certificate license. Entrust does not charge for certificates issued by external subordinate CAs because those certificates are considered external and not using the PKIaaS infrastructure.
TLS Proxy CA use cases
The tlsproxy-ca-subord profile supports the following use cases.
- ECS Enterprise UI
- CA Gateway API
TLS Proxy CA request extensions
The tlsproxy-ca-subord profile supports the following non-critical extensions in request.
Extension name | Extension OID |
|---|---|
CertificatePolicies | 2.5.29.32 |
TLS Proxy CA certificate fields
The tlsproxy-ca-subord profile sets the following certificate fields.
Field | Value |
|---|---|
Issuer | Customer's subordinate issuing CA. |
Subject | No constraint |
Validity period | Defaults to 1 year if not specified. |
TLS Proxy CA certificate extensions
The tlsproxy-ca-subord profile sets the following certificate extensions.
Extension | Critical | Value |
|---|---|---|
AIA | No | Supplied if the customer enables OCSP when creating the CA |
Authority Key Identifier | No | Matches subjectKeyIdentifier of the signing certificate |
Basic Constraints | Yes | cA=True, pathLenConstraint=0 |
CRL Distribution Points | No | Always present |
Extended Key Usage | No | TLS server authentication (1.3.6.1.5.5.7.3.1), TLS client authentication (1.3.6.1.5.5.7.3.2) |
Key Usage | Yes | Certificate Signing, CRL Signing, Digital Signature |
Subject Alternative Name | No | No constraints |
Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
TLS Proxy CA algorithm constraints
The tlsproxy-ca-subord profile supports the following key and signature algorithms.
Key algorithm | Signature algorithm |
|---|---|
ECDSA P-256 | ecdsa-with-SHA256 |
ECDSA P-384 | ecdsa-with-SHA384 |
ECDSA P-521 | ecdsa-with-SHA512 |
RSA 2048 | sha256WithRSAEncryption |
RSA 3072 | sha256WithRSAEncryption |
RSA 4096 | sha512WithRSAEncryption |
The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
TLS Proxy CA distinguished names
Entrust has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
Alias | OID |
|---|---|
'CN' 'CommonName' | 2.5.4.3 |
'SN' 'SurName' | 2.5.4.4 |
'SERIALNUMBER' 'DeviceSerialNumber' | 2.5.4.5 |
'C' 'Country' | 2.5.4.6 |
'L' 'Locality' | 2.5.4.7 |
'ST' 'S' 'State' | 2.5.4.8 |
'STREET' 'StreetAddress' | 2.5.4.9 |
'O' 'Org' 'Organization' | 2.5.4.10 |
'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit' | 2.5.4.11 |
'T' 'Title' | 2.5.4.12 |
'BUSINESSCATEGORY' | 2.5.4.15 |
'POSTALCODE' | 2.5.4.17 |
'givenName' 'G' | 2.5.4.42 |
'I' 'Initials' | 2.5.4.43 |
'ORGANIZATIONIDENTIFIER' | 2.5.4.97 |
'UID' | 0.9.2342.19200300.100.1.1 |
'DC' 'DomainComponent' | 0.9.2342.19200300.100.1.25 |
'Email' 'E' | 1.2.840.113549.1.9.1 |
'unstructuredName' | 1.2.840.113549.1.9.2 |
'unstructuredAddress' | 1.2.840.113549.1.9.8 |
'JurisdictionOfIncorporationLocalityName' | 1.3.6.1.4.1.311.60.2.1.1 |
'JurisdictionOfIncorporationStateOrProvinceName' | 1.3.6.1.4.1.311.60.2.1.2 |
'JurisdictionOfIncorporationCountryName' | 1.3.6.1.4.1.311.60.2.1.3 |
'TrademarkOfficeName' | 1.3.6.1.4.1.53087.1.2 |
'TrademarkCountryOrRegionName' | 1.3.6.1.4.1.53087.1.3 |
'TrademarkRegistration' | 1.3.6.1.4.1.53087.1.4 |
'LegalEntityIdentifier' | 1.3.6.1.4.1.53087.1.5 |
'WordMark' | 1.3.6.1.4.1.53087.1.6 |
'MarkType' | 1.3.6.1.4.1.53087.1.13 |
'StatuteCountryName' | 1.3.6.1.4.1.53087.3.2 |
'StatuteStateOrProvinceName' | 1.3.6.1.4.1.53087.3.3 |
'StatuteLocalityName' | 1.3.6.1.4.1.53087.3.4 |
'StatuteCitation' | 1.3.6.1.4.1.53087.3.5 |
'StatuteURL' | 1.3.6.1.4.1.53087.3.6 |