For all SCEP-related protocols (SCEP, MDM-SCEP, and Intune-SCEP), Certificate Enrollment Gateway uses RA certificates to sign and encrypt SCEP PKI messages. In Entrust CA Gateway, for each Managed CA that will issue certificates for all SCEP-related protocols, you must create a profile for issuing RA certificates.
All profiles used for RA certificates must allow for Dual Usage (both Digital Signature and Key Encipherment). It is recommended that you use a Dual Usage certificate type that you created earlier for a SCEP-related protocol. For example, for the SCEP and Intune-SCEP protocols, you can use the SCEP Signing and Encryption (ent_scep_sig_enc) certificate type you created earlier for the SCEP and Intune-SCEP protocols in Adding certificate types to Security Manager for SCEP and Intune-SCEP enrollment).
When adding a profile to CA Gateway for issuing RA certificates:
- The
subject_builder_configfield is not supported. - The
subject-variable-requirementsfield is not supported. - The values of the
cert_type(certificate type) andcert_definition(certificate definition) parameters must match the values specified in Security Manager. The value of the
create_ldap_entryparameter must befalse.
For example:
- name: "SCEP RA" unique_id: ent_scep_ra properties: cert_type: ent_scep_sig_enc cert_definition: Dual Usage user_type: Web Server create_ldap_entry: false