Certificate issuance
Entrust PKIaaS capabilities for certificate issuance include the following.
- Certificate profiles
- Subscriber key algorithms
- Validity period
- Enrollment by CSR
- Subject Alternative Names
- Extensions
- Proof of possession
Certificate profiles
PKIaaS performs certificate issuance within the context of a certificate profile. Each profile:
- Exists within the Entrust PKIaaS service.
- Gets referenced by name in certificate-issuance requests.
Subscriber key algorithms
PKIaaS supports the following ECDSA and RSA key algorithms.
- ECDSA P-256
- ECDSA P-384
- ECDSA P-521
- RSA 2048
- RSA 3072
- RSA 4096
PKIaaS supports the following Post-Quantum (PQ) key algorithms.
| Label | VA key type | VA signature algorithm |
|---|---|---|
| Hash-SLH-DSA-SHA2-128f-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHA2-128s-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHA2-192f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHA2-192s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHA2-256f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHA2-256s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
| Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
| ML-DSA-44 | RSA2048 | sha256WithRSAEncryption |
| ML-DSA-65 | RSA2048 | sha256WithRSAEncryption |
| ML-DSA-87 | RSA2048 | sha256WithRSAEncryption |
PKIaaS supports the following Composite key algorithms.
| Label | VA key type | VA signature algorithm |
|---|---|---|
| MLDSA44-ECDSA-P256-SHA256 | RSA2048 | sha256WithRSAEncryption |
| MLDSA44-RSA2048-PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption |
| MLDSA44-RSA2048-PSS-SHA256 | RSA2048 | sha256WithRSAPSS |
| MLDSA65-ECDSA-P256-SHA512 | RSA2048 | sha256WithRSAEncryption |
| MLDSA65-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
| MLDSA65-RSA3072-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
| MLDSA65-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
| MLDSA65-RSA4096-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
| MLDSA65-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
| MLDSA87-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
| MLDSA87-ECDSA-P521-SHA512 | RSA2048 | sha256WithRSAEncryption |
| MLDSA87-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
| MLDSA87-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
Validity period
The certificate validity period cannot go beyond the expiry date of the issuing CA.
ℹ The validity period value defaults to 3 years when not specified in the request.
Enrollment by CSR
All certificate issuance requests use the CSR format.
ℹ The calling application must generate the private key for the certificate.
Subject Alternative Names
The request supplies Subject Alternative Names (SANs) in the subjectAltNames field, separate from the CSR.
Some third-party services like Venafi require SANs to be automatically supplied using the common names for TLS server certificates. To automatically supply SANs using common names, the privatessl group provides the following profiles.
- privatessl-tls-client-server-supply-san
- privatessl-tls-server-supply-san
Extensions
The request supplies certificate extensions in the following field, separate from the CSR.
optionalCertificateRequestDetails.extensions
Proof of possession
The Proof of Possession (POP) check automatically validates that the caller has possession of the private key.
ℹ The system always performs the POP check during certificate-request validation.