This section describes known issues and limitations for Entrust Certificate Enrollment Gateway. For other known issues with Certificate Enrollment Gateway, see the Knowledge section of Entrust TrustedCare. Reference numbers are for internal purposes only.
- Unsupported ACMEv2 features (PKI-30901)
- Unsupported Intune-SCEP operations (PKI-28149, PKI-31351)
- ACMEv2 requests to Entrust Certificate Services cannot have an empty Subject DN (ECSPR-39482)
- ACMEv2 requests to Microsoft CA cannot have an empty Subject DN PKI-32853)
- Authentication error message logged when enrolling with Cisco LibEST client and basic authentication (CEG-3287)
Unsupported ACMEv2 features (PKI-30901)
The Certificate Enrollment Gateway implementation of the ACME Server does not support the following RFC 8555 features:
- EdDSA signature algorithm
- Rate limits
termsOfServiceoptional string- Changes of Terms of Service
- External Account Binding
- Pre-authorization
Unsupported Intune-SCEP operations (PKI-28149, PKI-31351)
The Certificate Enrollment Gateway integration with the Intune-SCEP protocol does not support the following draft-nourse-scep-23 operations:
- GetCRL
- GetNextCACert
ACMEv2 requests to Entrust Certificate Services cannot have an empty Subject DN (ECSPR-39482)
If an ACMEv2 client sends a CSR (certificate signing request) with an empty Subject DN, Certificate Enrollment Gateway will use the first Subject Alternative Name value in the CSR as the Subject DN. Certificate Enrollment Gateway will not alter the CSR, but will send the Subject DN value as a separate parameter to CA Gateway for processing. Entrust Certificate Services requires that CSRs must have a Subject DN. Entrust Certificate Services will ignore the Subject DN parameter sent by Certificate Enrollment Gateway.
Workaround: You must generate the CSR externally from the ACMEv2 client using another tool, such as openssl. The ACMEv2 client can then use the externally-generated CSR.
ACMEv2 requests to Microsoft CA cannot have an empty Subject DN PKI-32853)
If an ACMEv2 client sends a CSR (certificate signing request) with an empty Subject DN, Certificate Enrollment Gateway will use the first Subject Alternative Name value in the CSR as the Subject DN. Certificate Enrollment Gateway will not alter the CSR, but will send the Subject DN value as a separate parameter to CA Gateway for processing. A Microsoft Certification Authority (CA) requires that CSRs must have a Subject DN. A Microsoft CA will ignore the Subject DN parameter sent by Certificate Enrollment Gateway.
This issue does not occur when using Certificate Enrollment Gateway with CA Gateway 2.5.0 or later. When using CA Gateway 2.5.0 or later, ACMEv2 clients can send a CSR with an empty Subject DN intended for a Microsoft CA without issue.
Workaround: You must generate the CSR externally from the ACMEv2 client using another tool, such as OpenSSL. The ACMEv2 client can then use the externally-generated CSR.
Authentication error message logged when enrolling with Cisco LibEST client and basic authentication (CEG-3287)
When enrolling for a certificate with a Cisco LibEST client and the client is using basic authentication, Certificate Enrollment Gateway will always log an authentication error, even when the simpleenroll and serverkeygen operations are successful. For example:
[2024-09-16 13:16:49.711][ERROR][10][EST][][a06bef31][https-jsse-nio-1443-exec-1][com.entrust.ceg.commons.audit.AuditLogger=>process][Request to EST operation:simpleenroll faied.Reason:Access to EST operation:simpleenroll must be authenticated ]This error is expected with the LibEST client. Even when using basic authentication, the LibEST client does not provide the parameters for basic authentication on the first request. When the EST server does not obtain the basic authentication parameters on the first request, it issues header "WWW-Authenticate" to the LibEST client. When LibEST client receives the "WWW-Authenticate" header, the client will repeat the request and include the basic authentication parameters.