In Entrust CA Gateway, you must create profiles for each Managed CA that will issue certificates for WSTEP enrollment. Each profile must issue one of the WSTEP certificate types you added earlier to Security Manager.

When adding these profiles to CA Gateway:

• The values of the cert_type (certificate type) and cert_definition (certificate definition) parameters must match the values specified in Security Manager.
• The value of the create_ldap_entry parameter must be false.
• The value of the directory_mode parameter must be NO_OP (the value is case sensitive).

• The subject-variable-requirements field is supported when the subject_builder_config field is used.

• The subject_builder_config field is supported when Certificate Enrollment Gateway has mapped a Windows certificate template to the Profile ID.
  WSTEP requests to Certificate Enrollment Gateway will include Windows certificate template information. In the Certificate Enrollment Gateway config.yml file, the certificate-templates setting can map Windows certificate templates to Profile IDs in CA Gateway.

  • If the certificate template is not mapped to a Profile ID, the subject_build_config field is ignored.
  • If the certificate template is mapped to the Profile ID and the subject_build_config field exists:
    • The subject_builder_name setting must be set to com.entrust.adminservices.cagw.common.subjects.TemplateSubjectBuilder.
    • For machines, the Subject name in the certificate template must be Common name or DNS. For information about configuring the Subject name in the Windows certificate template, see the Certificate Enrollment Gateway WSTEP Integration Guide.
    • For users, the Subject name in the certificate template must be Common name. For information about configuring the Subject name in the Windows certificate template, see the Certificate Enrollment Gateway WSTEP Integration Guide.
  • If the certificate template is mapped to the Profile ID and the subject_build_config field is absent:
    • For machines, the subject of the issued certificate will be either CN=<Common Name> or CN=<DNS name>.
    • For users, the subject of the issued certificate will be CN=<Common Name>.

The following example shows multiple Managed CA profiles configured in CA Gateway for WSTEP enrollment, one profile for each WSTEP certificate type you created earlier in Security Manager.