scep
Entrust PKIaaS provides the following SCEP (Simple Certificate Enrollment Protocol) certificate profiles.
scep-digital-signaturescep-digital-signature-key-enciphermentscep-key-enciphermentscep-non-repudiation
These profiles support the following features.
- Use cases
- Key usages
- Request extensions
- Certificate fields
- Certificate extensions
- Distinguished names
Use cases
All SCEP profiles support the CA Gateway API use case.
Key usages
See below the Key Usage and Extended Key Usage (EKU) extension values each SCEP profile supports.
| Profile | Key Usage | |
|---|---|---|
scep-digital-signature |
Digital Signature | |
scep-digital-signature-key-encipherment |
Digital Signature, Key Encipherment | |
scep-key-encipherment |
Key Encipherment | |
scep-non-repudiation |
Digital Signature, Non-Repudiation |
Request extensions
All SCEP profiles support the following non-critical extensions in request.
| Extension name | Extension OID |
|---|---|
| Application Policies | 1.3.6.1.4.1.311.21.10 |
| Certificate Policies | 2.5.29.32 |
| Extended Key Usage | 2.5.29.37 |
| MSTemplateName | 1.3.6.1.4.1.311.20.2 |
| MSTemplateOID | 1.3.6.1.4.1.311.21.7 |
| Smime Capabilities | 1.2.840.113549.1.9.15 |
szOID_NTDS_CA_SECURITY_EXT |
1.3.6.1.4.1.311.25.2 |
Certificate fields
All SCEP profiles set the following certificate fields.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Certificate extensions
All SCEP profiles set the following certificate extensions.
| Extension | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches the subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=False |
| CRL Distribution Points | No | Always present |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
CN, CommonName |
2.5.4.3 |
SN, SurName |
2.5.4.4 |
SERIALNUMBER, DeviceSerialNumber |
2.5.4.5 |
C, Country |
2.5.4.6 |
L, Locality |
2.5.4.7 |
ST, S, State |
2.5.4.8 |
STREET, StreetAddress |
2.5.4.9 |
O, Org, Organization |
2.5.4.10 |
OU, OrganizationalUnit, OrganizationUnit, OrgUnit |
2.5.4.11 |
T, Title |
2.5.4.12 |
BUSINESSCATEGORY |
2.5.4.15 |
POSTALCODE |
2.5.4.17 |
givenName, G |
2.5.4.42 |
I, Initials |
2.5.4.43 |
ORGANIZATIONIDENTIFIER |
2.5.4.97 |
UID |
0.9.2342.19200300.100.1.1 |
DC, DomainComponent |
0.9.2342.19200300.100.1.25 |
Email, E |
1.2.840.113549.1.9.1 |
unstructuredName |
1.2.840.113549.1.9.2 |
unstructuredAddress |
1.2.840.113549.1.9.8 |
JurisdictionOfIncorporationLocalityName |
1.3.6.1.4.1.311.60.2.1.1 |
JurisdictionOfIncorporationStateOrProvinceName |
1.3.6.1.4.1.311.60.2.1.2 |
JurisdictionOfIncorporationCountryName |
1.3.6.1.4.1.311.60.2.1.3 |
TrademarkOfficeName |
1.3.6.1.4.1.53087.1.2 |
TrademarkCountryOrRegionName |
1.3.6.1.4.1.53087.1.3 |
TrademarkRegistration |
1.3.6.1.4.1.53087.1.4 |
LegalEntityIdentifier |
1.3.6.1.4.1.53087.1.5 |
WordMark |
1.3.6.1.4.1.53087.1.6 |
MarkType |
1.3.6.1.4.1.53087.1.13 |
StatuteCountryName |
1.3.6.1.4.1.53087.3.2 |
StatuteStateOrProvinceName |
1.3.6.1.4.1.53087.3.3 |
StatuteLocalityName |
1.3.6.1.4.1.53087.3.4 |
StatuteCitation |
1.3.6.1.4.1.53087.3.5 |
StatuteURL |
1.3.6.1.4.1.53087.3.6 |