• About this guide
    • Acronyms
    • Revision information
    • Other documents
    • Documentation feedback
  • Introduction to PKIaaS
    • PKIaaS benefits
    • PKIaaS capabilities
      • Certification Authority instantiation
      • Certificate issuance
      • Certificate management
      • Certificate status checking
        • Entrust PKIaaS Certificate Revocation Lists
        • Entrust PKIaaS OCSP service
    • PKIaaS operation
    • PKIaaS governance model
      • Entrust responsibilities
      • Customer responsibilities
    • PKIaaS quotas and limits
    • Compliance frameworks
    • Definitions
  • Ordering and activating PKIaaS
    • Placing an order
      • Purchasing enterprise bundles
      • Purchasing services a la carte
    • Activating your Entrust Certificate Service Enterprise account
    • Checking your PKIaaS inventory
    • Activating Entrust TrustedCare (optional)
  • PKIaaS setup wizard
  • Role-Based Access Control
    • User types with PKIaaS roles
    • Creating a user with PKIaaS roles
    • Granting PKIaaS roles to existing users
  • Managing CAs with Entrust Certificate Services Enterprise
    • Creating an online root CA
    • Creating an issuing CA under an online root CA
    • Selecting the certificate profiles of a CA
    • Creating an external subordinate CA
    • Adding an external root CA
    • Adding an issuing CA under an external root CA
    • Downloading a CA certificate
    • Deleting a CA
  • Managing certificates with Entrust Certificate Services Enterprise
    • Issuing certificates
      • Processing a Certificate Signing Request
      • Generating a PKCS #12
    • Browsing and downloading certificates
    • Revoking certificates
    • Managing reports, alerts, and notifications
    • Configuring auto-enrollment
  • Automating Intune enrollment with an Entrust-hosted Enrollment Gateway
    • Intune integration requirements
    • Creating an Intune application in Azure
    • Configuring Intune automation in Entrust Certificate Services
      • Configuring an Entrust PKIaaS issuing CA for Intune
      • Downloading the Entrust PKIaaS CA certification chain for Intune
      • Configuring an Entrust-hosted Certificate Enrollment Gateway for Intune
      • Getting the Intune Service URL
    • Configuring Intune profiles in Azure
      • Creating Intune profiles for Windows in Azure
      • Creating Intune profiles for Android in Azure
      • Creating Intune profiles for MacOS in Azure
      • Creating Intune profiles for iOS and iPadOS in Azure
    • Enrolling user devices with the Intune Company Portal
      • Enrolling Windows devices with the Intune Company Portal
      • Enrolling Android devices with the Intune Company Portal
      • Enrolling iOS devices with the Intune Company Portal
      • Enrolling MacOS devices with the Intune Company Portal
    • Renewing enrolled certificates
    • Revoking and removing certificates
  • Automating MDM enrollment with an Entrust-hosted Enrollment Gateway
    • MDM integration requirements
    • Configuring MDM automation in Entrust Certificate Services
      • Configuring an Entrust PKIaaS issuing CA for MDM
      • Downloading the Entrust PKIaaS root CA certificate for MDM
      • Adding an Entrust-hosted Certificate Enrollment Gateway for MDM
      • Adding digital identifiers to a Certificate Enrollment Gateway for MDM
        • Profile ID
        • RDN Format
        • Parent DN
      • Getting Certificate Enrollment Gateway settings for MDM
    • Configuring MDM automation in Ivanti Neurons MDM
      • Adding Entrust as issuing certificate authority in Ivanti Neurons MDM
      • Adding the PKIaaS issuing and root CA certificates in Ivanti Neurons MDM
      • Adding an identity certificate in Ivanti Neurons MDM
    • Configuring MDM automation in Jamf
      • Options
        • General
        • Certificate
        • SCEP
          • URL
          • Name
          • Redistribute Profile
          • Subject
          • Subject Alternative Name Type
          • Retries
          • Retry delay
          • Challenge type
          • Entrust Web Service URL
          • Administrator Username
          • Administrator Password
          • Verify Password
          • Digital ID Configuration Name
          • Group Name
          • RDN Variables
          • Key Size
          • Use as digital signature
          • Use for key encipherment
          • Fingerprint
      • Scope
    • Configuring MDM automation in VMware Workspace ONE
      • Adding a Certificate Authority and a Request Template for MDM automation in VMware Workspace ONE
      • Adding a profile for trusted certificates in VMware Workspace ONE
      • Adding a PKI profile for MDM automation in VMware Workspace ONE
      • Adding a SCEP profile for MDM automation in VMware Workspace ONE
      • Testing MDM automation in VMware Workspace ONE
  • Automating Windows Auto Enrollment (WSTEP) with an Entrust-hosted Enrollment Gateway
    • Planning your WSTEP deployment
    • WSTEP enrollment requirements
      • ECS account requirements for WSTEP enrollment
      • PKIaaS Virtual Machine requirements
        • Network requirements for the PKIaaS Virtual Machine
        • Virtualization platform requirements for the PKIaaS Virtual Machine
          • Azure requirements for the PKIaaS Virtual Machine
          • VMware requirements for the PKIaaS Virtual Machine
      • Windows requirements for WSTEP enrollment
        • Windows user requirements for configuring WSTEP enrollment
        • Network requirements for the Windows devices
        • Active Directory requirements for WSTEP enrollment
    • Preparing the Active Directory forest for WSTEP
      • Creating a PKIaaS WSTEP Service Account
      • Installing the default set of Microsoft Certificate Templates
        • Enabling the Certificate Templates snap-in
        • Installing the default set of Microsoft Certificate Templates using the snap-in
      • Downloading the certificate chain
      • Setting up LDAPS on domain controllers
        • Establishing trust of the LDAPS TLS chain
          • Creating a Group Policy Object for the LDAPS TLS certificate chain
          • Importing the LDAPS TLS certificate chain into the Group Policy Object
          • Linking the TLS LDAPS Group Policy Object to all domains
        • Generating the LDAPS TLS certificates
        • Installing the LDAPS TLS certificates
        • Validating the LDAPS configuration
    • Configuring an Entrust PKIaaS issuing CA for WSTEP
    • Creating an Entrust-hosted Certificate Enrollment Gateway for WSTEP
    • Downloading a PKIaaS Virtual Machine from the PKIaaS portal
    • Installing a PKIaaS Virtual Machine
      • Installing a PKIaaS Virtual Machine on Amazon Web Services
        • Creating an S3 bucket for the PKIaaS Virtual Machine
        • Configuring an IAM policy for the PKIaaS Virtual Machine
          • Creating a new IAM policy
          • Updating an existing IAM policy
        • Creating an IAM role for the PKIaaS Virtual Machine
        • Uploading the OVA file of the PKIaaS Virtual Machine to AWS
        • Creating an AMI import configuration file
        • Preparing the command-line interface
        • Importing the AMI
        • Creating an EC2 instance for the PKIaaS Virtual Machine
        • Opening a PKIaaS Virtual Machine session on AWS
      • Installing a PKIaaS Virtual Machine on Azure
        • Creating an Azure storage account for the PKIaaS Virtual Machine
        • Uploading the VHD image of the PKIaaS Virtual Machine file to Azure
        • Creating an Azure image for the PKIaaS Virtual Machine
        • Creating Azure network rules for the PKIaaS Virtual Machine
        • Creating the PKIaaS Virtual Machine on Azure
        • Opening a PKIaaS Virtual Machine session on Azure
      • Installing a PKIaaS Virtual Machine on VMware vSphere
    • Configuring PKIaaS Virtual Machines on the PKIaaS portal
      • Registering a PKIaaS Virtual Machine
      • Adding an agent to a PKIaaS Virtual Machine
        • Configuring an Active Directory in the agent
        • Preparing the service account for Kerberos
        • Synchronizing the agent with the root Active Directory
      • Linking additional Active Directories to an agent
      • Managing PKIaaS Virtual Machine configurations
        • Selecting PKIaaS Virtual Machine actions
        • Copying the enrollment URL
      • Managing Active Directory configurations
        • Add Root Active Directory
        • Edit Active Directory
        • Delete Active Directory
        • Manage Certificate Templates
        • View discovered domains
    • Enabling WSTEP for users and devices
      • Creating a Group Policy Object for the WSTEP certificate chain
      • Importing the WSTEP certificate chain into the Group Policy Object
      • Enabling PKIaaS WSTEP for users
      • Enabling autoenrollment for users
      • Enabling PKIaaS WSTEP for devices
      • Enabling autoenrollment for devices
      • Linking the WSTEP Group Policy Object to all domains
    • Managing Microsoft certificate templates in Active Directory
      • Creating and configuring certificate templates
        • Compatibility
        • Cryptography
        • Extensions
        • General
        • Issuance requirements
        • Key Attestation
        • Request Handling
        • Security
        • Server
        • Superseded Templates
      • Disabling a certificate template
    • Managing on-premises PKIaaS Virtual Machines
      • PKIaaS Virtual Machine keyboard shortcuts
      • Browsing PKIaaS Virtual Machine logs
        • Browsing PKIaaS Virtual Machine startup logs
        • Browsing WSTEP enrollment logs
      • Creating an additional PKIaaS Virtual Machine for disaster recovery
      • Recovering a PKIaaS Virtual Machine from disaster
    • Troubleshooting WSTEP enrollment issues
      • Troubleshooting PKIaaS Virtual Machine onboarding issues
      • Troubleshooting WSTEP agent configuration issues
        • DNS Server unreachable
        • Invalid LDAP credentials
        • LDAP timeout
        • TLS handshake failed
        • Unknown LDAP host
      • Troubleshooting Group Policy Object configuration issues
        • Access denied by remote endpoint
        • Remote endpoint not reachable.
      • Troubleshooting enrollment and certificate template issues
        • Certificate template not enrolling or autoenrolling
        • Missing certificate template
        • Unexpected behavior of certificate enrollment
  • Automating enrollment with an on-premises Enrollment Gateway
    • Adding an on-premises Enrollment Gateway to an issuing CA
    • Activating an on-premises Certificate Enrollment Gateway
    • Installing an on-premises Certificate Enrollment Gateway
    • Deleting an on-premises Certificate Enrollment Gateway
  • Migrating a customer-hosted Enrollment Gateway to Entrust-hosted
    • Migrating an Intune on-premises Enrollment Gateway to an Entrust-hosted Enrollment Gateway
    • Migrating an MDM on-premises Enrollment Gateway to an Entrust-hosted Enrollment Gateway
    • Migrating a WSTEP on-premises Enrollment Gateway to an Entrust-hosted Enrollment Gateway
  • Managing certificates with Entrust Certificate Hub
  • Integrating third-party tools with the Entrust CA Gateway API
    • Generating CA Gateway credentials
    • Accessing the CA Gateway API
    • Integrating with Ansible
    • Integrating with HashiCorp Vault
    • Integrating with KeyFactor CLM
    • Integrating with ServiceNow
    • Integrating with Venafi
  • Revoking certificates in bulk
  • PKIaaS CA & VA certificate profiles
  • PKIaaS subscriber certificate profiles
    • Active Directory (WSTEP) certificate profiles
    • CMPv2 certificate profiles
    • Code signing certificate profile
    • eSIM certificate profiles
    • EST certificate profiles
    • External subordinate CA certificate profiles
      • Azure Firewall Intermediate CA certificate profile
      • TLS Proxy CA certificate profile
    • Intune certificate profiles
    • MDMWS certificate profiles
    • Mobile device certificate profile
    • Multiuse certificate profiles
    • Private SSL (ACMEv2) certificate profiles
    • S/MIME Secure Email certificate profiles
    • SCEP certificate profiles
    • Smartcard certificate profiles
    • V2G certificate profiles
  • Post-quantum Lab experimental region
    • Pure post-quantum algorithms
      • Dilithium2 (1.3.6.1.4.1.2.267.7.4.4)
      • Dilithium3 (1.3.6.1.4.1.2.267.7.6.5)
      • Dilithium5 (1.3.6.1.4.1.2.267.7.8.7)
      • Falcon-512 (1.3.9999.3.6)
      • Falcon-1024 (1.3.9999.3.9)
      • SLH-DSA-SHA2-128f-ipd (1.3.9999.6.4.13)
      • SLH-DSA-SHA2-128s-ipd (1.3.9999.6.4.16)
      • SLH-DSA-SHA2-192f-ipd (1.3.9999.6.5.10)
      • SLH-DSA-SHA2-192s-ipd (1.3.9999.6.5.12)
      • SLH-DSA-SHA2-256f-ipd (1.3.9999.6.6.10)
      • SLH-DSA-SHA2-256s-ipd (1.3.9999.6.6.12)
    • Explicit composite algorithms
      • Dilithium3-ECDSA-P256-SHA256 (2.16.840.1.114027.80.5.1.2)
      • Dilithium3-RSA3072-PKCS15-SHA256 (2.16.840.1.114027.80.5.1.1)
      • Dilithium5-ECDSA-P384-SHA384 (2.16.840.1.114027.80.5.1.5)
      • Falcon512-ECDSA-P256-SHA256 (2.16.840.1.114027.80.5.1.8)
  • Obtaining support