Certificate issuance

Entrust PKIaaS capabilities for certificate issuance include the following.

• Certificate profiles
• Subscriber key algorithms
• Validity period
• Enrollment by CSR
• Subject Alt Names
• Extensions
• Proof of possession

Certificate profiles

PKIaaS performs certificate issuance within the context of a certificate profile. Each profile:

• Exists within the Entrust PKIaaS service.
• Gets referenced by name in certificate‑issuance requests.

Subscriber key algorithms

PKIaaS supports RSA and EC subscriber certificate key algorithms. PKIaaS supports signing certificates that use the following public‑key algorithms.

• ECDSA P-256
• ECDSA P-384
• ECDSA P-521
• RSA 2048
• RSA 3072
• RSA 4096

Validity period

The certificate validity period cannot go beyond the expiry date of the issuing CA.

ℹ The validity period value defaults to 3 years when not specified in the request.

Enrollment by CSR

All certificate issuance requests use the CSR format.

ℹ The calling application must generate the private key for the certificate.

Subject Alt Names

The request supplies Subject Alt Names (SANs) in the subjectAltNames field, separate from the CSR.

Some third-party services like Venafi require to automatically supply SANs using the common names for TLS server certificates. To automatically supply SANs using common names, the privatessl group provides the following profiles.

• privatessl-tls-client-server-supply-san
• privatessl-tls-server-supply-san

Extensions

The request supplies certificate extensions in the following field, separate from the CSR.

optionalCertificateRequestDetails.extensions

Proof of possession

The Proof of Possession (POP) check automatically validates that the caller has possession of the private key.

ℹThe system always performs the POP check during certificate‑request validation.