Certificate issuance
Entrust PKIaaS capabilities for certificate issuance include the following.
- Certificate profiles
- Subscriber key algorithms
- Validity period
- Enrollment by CSR
- Subject Alt Names
- Extensions
- Proof of possession
Certificate profiles
PKIaaS certificate issuance is always in the context of a certificate profile. These profiles are:
- Defined within the Entrust PKIaaS service.
- Referenced by name in the certificate issuance requests.
As described in PKIaaS subscriber certificate profiles, Entrust tunes the profiles to specific use cases:
- CA Gateway API
- On-premises Certificate Enrollment Gateway (CEG)
Subscriber key algorithms
PKIaaS supports RSA and EC subscriber certificate key algorithms. PKIaaS is validated to sign certificates that use the following algorithms for their public key.
- ECDSA P-256
- ECDSA P-384
- ECDSA P-521
- RSA 2048
- RSA 3072
- RSA 4096
Validity period
The certificate validity period cannot go beyond the expiry date of the issuing CA.
ℹ The validity period value defaults to 3 years when not specified in the request.
Enrollment by CSR
All certificate issuance requests use the CSR format.
ℹ The calling application is responsible for generating a private key for the certificate.
Subject Alt Names
Subject Alt Names (SANs) are supplied in the subjectAltNames request field, separate from the CSR.
Some third-party services like Venafi require to automatically supply SANs using the common names for TLS server certificates. To automatically supply SANs using common names, the privatessl group provides the following profiles.
privatessl-tls-client-server-supply-sanprivatessl-tls-server-supply-san
Extensions
Certificate extensions are supplied in the request, separate from the CSR. Use the following API field to supply extensions.
optionalCertificateRequestDetails.extensions
Proof of possession
The Proof of Possession (POP) check automatically validates that the caller has possession of the private key.
ℹ The POP check is always performed during certificate request validation.