Certificate Enrollment Gateway requires the CA certificate chain of Entrust CA Gateway's server certificate. When connecting to Entrust CA Gateway, Certificate Enrollment Gateway will use the CA certificate chain to validate Entrust CA Gateway's server certificate.
The CA certificate chain must be stored in one of the following files:
File | Description |
|---|---|
CA Gateway Truststore | This file must be a PKCS #12 (P12) file. The file must contain at least one Trusted CA Certificate entry (TrustedCertEntry). You can re-use the CA Gateway Keystore if it contains the CA certificate chain. |
CA Certificates File | The file must be a PEM-formatted file. The file must contain at least one PEM-formatted CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. |
To generate a CA Gateway Truststore (P12 file) using the Java keytool utility
- Obtain the certificate chain for CA Gateway's server certificates, from the server certificate to the root CA certificate.
- Log in to a computer that has Java installed.
For each certificate, enter the following command to generate the CA Gateway Truststore file and import certificates into the truststore:
keytool -import-alias <alias> -trustcacerts -file <cert-file> -keystore <truststore>Where:
<alias>is an alias for the certificate. Use a different alias for each certificate you will import.<cert-file>is the path and file name of the certificate.<truststore>is the path and file name of the CA Gateway Truststore file. For example,cagwtruststore.p12. The utility will create the file if it does not exist.
For example:
keytool -import-alias cagw-root -trustcacerts -file /tmp/root.cer -keystore /home/user/cagwtruststore.p12- When prompted, enter a password for the truststore.
To generate a CA Certificates File (PEM file)
- Obtain the certificate chain for CA Gateway's server certificate, from the server certificate to the root CA certificate.
- Open a text editor.
- Create a new file.
Paste the contents of each CA certificate file into the new file, from the server certificate to the root CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. For example:
-----BEGIN CERTIFICATE-----<TLS server certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Issuing CA certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Root CA certificate in Base64 encoding>-----END CERTIFICATE-----The text file should look similar to the following:
-----BEGIN CERTIFICATE-----MIIDqQYJKoZIhvcNAQcCoIIDmjCCA5YCAQExADALBgkqhkiG9w0BBwGgggN...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIIDejCCAmKgAwIBAgIQQ8e7ock59Y21Mtcy7rGJUDANBgkqhkiG9w0BAQs...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIQ0EgRW50cnkwHhcNMjMwMjA4MTUxNzEwWhcNMzMwMjA4MTU0NzEwWjAyM...-----END CERTIFICATE------ Save and close the file.