Configuring the Entrust Certificate Services CA template object

To enable Trust Protection Platform to manage Entrust Certificate Services certificates, you must configure an Entrust Certificate Services CA template object. This object provides the information Trust Protection Platform needs to request, retrieve, and install certificates issued by the Entrust Certificate Services CA.

BEST PRACTICE  Consider managing CA Template object settings using a policy. For more information, see Managing CA templates using policies.

To create and configure an Entrust Certificate Services CA template

  1. From the TLS Protect menu bar, click Policy Tree.
  2. From the Tree drop-down menu, click Policy.
  3. In the Policy tree, select the folder where you want to create the CA Template object, and then click Add.
  4. Click CA Template, then select Entrust Certificate Services to create it.
  5. In the CA Name box, type a name for the new Entrust Certificate Services object.
  1. Refer to the following table to complete the remaining CA template settings:

    Field

    Description

    Connection

    Certificate Credential

    Certificate Credential that Trust Protection Platform uses to authenticate with the Entrust Certificate Services web service when it retrieves certificates, templates, and licensing information from the CA.

    This certificate credential is an Advantage certificate that is authorized for administration purposes on Entrust Certificate Services. For more information, see Entrust Certificate Services prerequisite configurations.

    To select the certificate credential

    1. Click the Browse button.
    2. Select the credential that stores the administration certificate required to connect to the CA, and then click Select.

    Username Credential

    As part of two-factor authentication, specify an existing username credential.

    For information about creating a username credential object, see Creating user name or password credentials.

    Validate

    Tests the selected Certificate Credential to ensure Trust Protection Platform can authenticate with the Entrust Certificate Services web service.

    If the credential is valid and the connection succeeds, Trust Protection Platform automatically populates the Certificate Types drop-down list and the supported Validity Periods.

    If new Certificate Types are added to the CA, you must click Validate to update the Certificate Types menu.

    Options

    Template

    Supported Entrust SSL certificate templates for the current iteration of the Entrust Certificate Services CA. The Certificate Types menu is automatically populated when you click Validate.

    If new templates are added to the CA, you must click Validate to update the list of available templates.

    Trust Protection Platform supports the following Entrust SSL certificate templates:

    • Standard
    • Advantage**
    • Code Signing
    • EV Code Signing
    • EV Multi-Domain**
    • Payment Services Directive (PSD2)**
    • Private Dedicated SSL
    • Private SSL**
    • Qualified Web Authentication Certificate (QWAC)**
    • Standard **
    • UC Multi-Domain**
    • Wildcard**

    ** Indicates products available to you if you're using a FLEX account.

    Certificate Organization

    Supported values are Allow only approved organizations associated with the Client, Use the default organization associated with the Client, and Allow all approved organizations in your Entrust account.

    When selecting Allow only approved organizations associated with the Client and Use the default organization associated with the client, select the Client name from the drop-down selection.

    DID YOU KNOW?  Most public CAs ignore some information in a CSR that is typically already known, such as the city, state and zip code, because they are fixed values of the Entrust customer and already known. This can also be true of the default organization value; however, some businesses have multiple organizations (e.g. through acquisitions, etc.). So in cases where the organization specified in a CSR matches the Entrust customer's default organization, Trust Protection Platform would pass that value to the CA. However, if the specified organization did not include a valid organization in the CSR, it would not enroll.

    This new option helps to ensure successful enrollment.

    Client

    Name of your client. This name is used to generate the certificates.

    Signature Algorithm

    Specifies the algorithm that will be used by Entrust when it signs a requested certificate. Supported values are SHA1-RSA (default) and SHA256-RSA.

    Manual Approvals

    Requires manual approval for all CSRs submitted using the current CA Template object.

    When you enable Manual Approval, the administrator must log in to the Entrust Certificate Services CA service and manually approve the renewing certificate.

    If both Manual Approval and Subject Alt Names are enabled on the CA Template object, Trust Protection Platform does not include the SAN values in the CSR. Instead, it notifies the approver to provide the DNS SAN values when approving the certificate.

    Subject Alt Name Enabled

    Configures the current CA template object to support CSRs with DNS-based subject alt name (SAN) values.

    NOTE  DNS SANs are included in the Unified Communications Certificates that are used with Microsoft Exchange 2007 and Microsoft Office Communications Server.

    If you do not select this option, the current CA template object will not accept CSRs with SAN values. If Trust Protection Platform attempts to submit a CSR with SAN values, the CA Template object returns the following error:

    Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA.

    IMPORTANT  Before selecting this option, you must also verify the SAN feature is enabled on your CA engine. It it isn't, the CA returns the same error message when Trust Protection Platform attempts to submit a CSR with SAN values.

    For additional information on defining SAN values in the certificate, see Subject Alt Name in the topic About certificate object settings.

    Allow Reissuance

    Check the Allow Reissuance box and type a number (in days) in the Renewal Window field if you want to allow some certificate renewals to be handled as reissuance requests. This setting is disabled (unchecked) by default.

    Allow Reissuance is useful in situations where you need to renew a certificate but do not want to change its original expiration date.

    If you disable Allow Reissuance and a certificate's remaining validity is outside of the Renewal Window, then an error should result indicating the certificate cannot be reissued because the CA template doesn't allow it. If that occurs, then you'll need to request that a Trust Protection Platform administrator enable Allow Reissuance on the CA template, revoke and then renew the certificate, or create a new certificate object and enroll it using the same CA template (since it would be treated as a first-time enrollment).

    TIP  If you issue a certificate using the Specific End Date option that is set outside of the renewal window, the certificate is reissued with the expiration date you specified in Specific End Date.

    EXAMPLE  Suppose you're updating SHA1 certificates to SHA2. However, you know that updating them could result in changing their expiration dates to fall inside of a freeze period—a time in which your IT department is verifying network and system stability. To avoid this collision, you enable Allow Reissuance to ensure that the certificate's expiration date remains the same. You accept the default 90-day renewal window because it is longer than your freeze period.

    Renewal Window (days)

    A renewal window is the time period before a certificate's expiration date during which a certificate can be renewed.

    The default renewal window is 32 days for all newly created Entrust templates.

    This option lets you specify the maximum number of days prior to the certificate's expiration date that Trust Protection Platform should treat as a renewal request. If the number of days remaining in the validity period of the certificate is greater than your renewal window setting, then certificate renewal requests are processed as reissuance requests.

    When there is no existing certificate, a new certificate request is submitted to the CA as a new (first time) request.

    TIP  You can set the renewal window to a maximum of 364 days; the default setting is 90 days. But the renewal window does not prevent you from renewing a certificate that is not yet within the renewal window. Instead it allows you to obtain a replacement version of a certificate when it is not close to expiring while keeping the same expiration date.

    Certificate Transparency

    Select Use my account's default if you want Trust Protection Platform to use the setting specified in your Entrust.NET account. This is the default setting.

    Otherwise, if you want to enable it regardless of your account settings, select Send certificate to a CT log server. Or to disable it, select Do not send certificates to a CT log server.

    Enhanced Key Usage

    Specify whether to support server authentication, client authentication, or both.

    Server and Client Authentication is selected by default.

    Validity Periods

    Allows you to control which Validity Periods can be selected.

    The Validity Period is the period of time (in years) that the certificate is valid.

    Allow Users to Specify End Date

    Configures the current CA Template object to support assignment of a specific expiration date for the certificate objects to which it has been assigned.

    For more information about this setting, see Specify End Date in the topic Entrust Certificate Services—certificate settings.

    Available Validity Periods (Years)

    NOTE  This and the following settings are only visible when adding or removing validity periods to or from the CA template configuration.

    Validity Periods that are supported by the Entrust Certificate Services CA.

    TIP  These only appear when you add or remove validity periods to/from the CA template configuration.

    Supported Validity Periods (Years)

    Validity Periods that are available when configuring an Entrust Certificate Services certificate.

    To populate this list, select the Supported Validity Periods you want to be available when configuring Entrust Certificate Services certificates in Policy Tree, and then click the right-arrow.

    Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

    Allow Users to Specify End Date

    The Allow Users to Specify End Date option lets users specify expiration (end) dates for certificates requested from the CA so that they do not expire during your known freeze periods.

    Typically, renewing certificates that expire during freeze periods requires a more challenging approval process. Setting expiration (or end) dates that fall outside of freeze periods avoids potential interruptions.

    When a specific end date has been specified, the issued certificate has that date as its expiration date.

    This check box is cleared after successful enrollment (so that the validity period takes effect thereafter).

    For more information about this setting, see Specify End Date in the topic Entrust Certificate Services—certificate settings.

    Accounting

    The accounting fields enumerate the total number of pre-purchased licenses, the number of licenses used, and the number of available licenses. These fields are updated when you click the Validate button and when Trust Protection Platform retrieves a certificate.

    Total Licenses

    Number of pre-purchased certificate licenses.

    Used Licenses

    Number of pre-purchased certificate licenses that have been used.

    Available Licenses

    Number of pre-purchased certificate licenses that are available.

    Licenses Alert

    Threshold at which Trust Protection Platform begins sending certificate license alert notifications.

    When the number of remaining licenses reaches this threshold, Trust Protection Platform generates license alert events.

  2. (Optional) To see additional attributes, review the settings on the Support tab.
  3. Click Save.

What's next?

After you create a CA object, you can select it from the Policy tree, and then view important information and manage various settings.

  • Click the General tab to view and modify log and permissions settings.

    • Click the Log sub-tab to view any logged events that are triggered by the template object.

      IMPORTANT  You must have the Read permission to view the Log tab.

      For more information about options found on the Log tab, see Viewing log events.

    • On the Permissions sub-tab, you can configure the users or groups to whom you want to grant permissions to the new template object.

      Consider managing object permissions via parent objects so that you can take advantage of inheritance. For more information, see Permission inheritance and flow down.

Related Topics Link IconRelated Topics