est
Entrust PKIaaS provides the following EST (Enrollment over Secure Transport) certificate profiles.
est-digital-signatureest-digital-signature-key-enciphermentest-key-enciphermentest-non-repudiation
These profiles support the following features.
- Use cases
- Key usages
- Request extensions
- Certificate fields
- Certificate extensions
- Distinguished names
Use cases
All EST profiles support the CA Gateway API use case.
Key usages
See below the Key Usage extension values each EST profile supports.
| Profile | Key Usage |
|---|---|
est-digital-signature |
Digital Signature |
est-digital-signature-key-encipherment |
Digital Signature, Key Encipherment |
est-key-encipherment |
Digital Signature |
est-key-encipherment |
Key encipherment |
est-discovery-tls-server |
Digital Signature, Non-repudiation |
Request extensions
All EST profiles support the following non-critical extensions in request.
| Extension name | Extension OID |
|---|---|
| Application Policies | 1.3.6.1.4.1.311.21.10 |
| Certificate Policies | 2.5.29.32 |
| Extended Key Usage | 2.5.29.37 |
| MSTemplateName | 1.3.6.1.4.1.311.20.2 |
| MSTemplateOID | 1.3.6.1.4.1.311.21.7 |
| Smime Capabilities | 1.2.840.113549.1.9.15 |
szOID_NTDS_CA_SECURITY_EXT |
1.3.6.1.4.1.311.25.2 |
Certificate fields
All EST profiles set the following certificate fields.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint. |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Certificate extensions
All EST profiles set the following certificate extensions.
| Extension | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches the subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=True, pathLenConstraint=1 |
| CRL Distribution Points | No | Always present |
| Key Usage | Yes | Certificate Signing, CRL Signing, Digital Signature |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
CN, CommonName |
2.5.4.3 |
SN, SurName |
2.5.4.4 |
SERIALNUMBER, DeviceSerialNumber |
2.5.4.5 |
C, Country |
2.5.4.6 |
L, Locality |
2.5.4.7 |
ST, S, State |
2.5.4.8 |
STREET, StreetAddress |
2.5.4.9 |
O, Org, Organization |
2.5.4.10 |
OU, OrganizationalUnit, OrganizationUnit, OrgUnit |
2.5.4.11 |
T, Title |
2.5.4.12 |
BUSINESSCATEGORY |
2.5.4.15 |
POSTALCODE |
2.5.4.17 |
givenName, G |
2.5.4.42 |
I, Initials |
2.5.4.43 |
ORGANIZATIONIDENTIFIER |
2.5.4.97 |
UID |
0.9.2342.19200300.100.1.1 |
DC, DomainComponent |
0.9.2342.19200300.100.1.25 |
Email, E |
1.2.840.113549.1.9.1 |
unstructuredName |
1.2.840.113549.1.9.2 |
unstructuredAddress |
1.2.840.113549.1.9.8 |
JurisdictionOfIncorporationLocalityName |
1.3.6.1.4.1.311.60.2.1.1 |
JurisdictionOfIncorporationStateOrProvinceName |
1.3.6.1.4.1.311.60.2.1.2 |
JurisdictionOfIncorporationCountryName |
1.3.6.1.4.1.311.60.2.1.3 |
TrademarkOfficeName |
1.3.6.1.4.1.53087.1.2 |
TrademarkCountryOrRegionName |
1.3.6.1.4.1.53087.1.3 |
TrademarkRegistration |
1.3.6.1.4.1.53087.1.4 |
LegalEntityIdentifier |
1.3.6.1.4.1.53087.1.5 |
WordMark |
1.3.6.1.4.1.53087.1.6 |
MarkType |
1.3.6.1.4.1.53087.1.13 |
StatuteCountryName |
1.3.6.1.4.1.53087.3.2 |
StatuteStateOrProvinceName |
1.3.6.1.4.1.53087.3.3 |
StatuteLocalityName |
1.3.6.1.4.1.53087.3.4 |
StatuteCitation |
1.3.6.1.4.1.53087.3.5 |
StatuteURL |
1.3.6.1.4.1.53087.3.6 |