Entrust PKI Hub 1.0 requires the full TLS certificate chain for the Certificate Enrollment Gateway certificate, from the TLS certificate up to the root CA. You must combine all certificates in the TLS certificate chain into one file as described in the following procedure.
To combine the Certificate Enrollment Gateway certificate and CA certificates into a single file
- Create a new text file.
- Copy the contents of the Certificate Enrollment Gateway certificate (including BEGIN CERTIFICATE and END CERTIFICATE lines) into the new text file.
At the end of the new text file, copy the contents of each CA certificate in the chain (including BEGIN CERTIFICATE and END CERTIFICATE lines), in order from the Issuing CA certificate to the Root CA certificate. For example:
-----BEGIN CERTIFICATE-----<TLS server certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Issuing CA certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Root CA certificate in Base64 encoding>-----END CERTIFICATE-----For Entrust PKI as a Service, the Issuing CA and Root CA are different CAs. For an on-premises CA, the Issuing CA may be the root CA. If the issuing CA is the root CA, the file would contain only the TLS certificate and the root CA.
The text file should look similar to the following:
-----BEGIN CERTIFICATE-----MIIDqQYJKoZIhvcNAQcCoIIDmjCCA5YCAQExADALBgkqhkiG9w0BBwGgggN...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIIDejCCAmKgAwIBAgIQQ8e7ock59Y21Mtcy7rGJUDANBgkqhkiG9w0BAQs...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIQ0EgRW50cnkwHhcNMjMwMjA4MTUxNzEwWhcNMzMwMjA4MTU0NzEwWjAyM...-----END CERTIFICATE------ Save the file. It is recommended that you save the file with a
.pemor.crtextension. For example,tlscertchain.pem.
After building the TLS certificate chain, proceed to Installing the Certificate Enrollment Gateway certificate chain into Entrust PKI Hub 1.0.