You need a keystore containing:

  • The SSL authentication certificate of the Entrust Proxy for Microsoft CA.
  • The private key of the certificate.
  • The validation chain of the certificate.

See below the required steps.

The following instructions create a Java KeyStore (JKS) with the Java  keytool  command line utility. Consider using a more secure PKCS#12 type instead.

Generating the keystore

Go to the SSL directory containing the truststore.jks file previously generated. For example:

c:\mscaproxy\ssl

Run the following commands to generate the key.

The below commands use the default Web Server certificate template. If you need to customize any settings of the Web Server certificate template, use a copy of it.

keytool -genkey -noprompt -alias mscaproxy -dname "cn=MS CA proxy server FQDN" -keyalg RSA -keysize 2048 -keystore mscaproxy.jks -storepass <STOREPASS> -keypass <KEYPASS>
keytool -certreq -alias mscaproxy -ext SAN=dns:MS CA proxy server FQDN -file mscaproxy.csr -keystore mscaproxy.jks -storepass <STOREPASS>
certreq.exe -f -attrib "CertificateTemplate:WebServer" -config "MS CA host name\CA name" mscaproxy.csr CertChainFileOut mscaproxy.p7b
keytool -import -noprompt -alias mscaproxy -file mscaproxy.p7b -keystore mscaproxy.jks -storepass <STOREPASS>
del CertChainFileOut
del CertChainFileOut.rsp
del mscaproxy.csr
del mscaproxy.p7b

Where:

  • "MS CA proxy server FQDN" is the fully qualified domain name of your Entrust Proxy for Microsoft CA’s server.
  • <STOREPASS> is the password of the keystore.
  • <KEYPASS> is the password of the private key.

Setting the Subject Name

Edit the application.yml file of the Entrust Proxy for Microsoft CA installation folder.

config\application.yml

Uncomment all lines (by removing #) and assign  to subject-dn the distinguished name set with -dname when generating the client keystore. For example:

subject-dn: “cn=mscaproxy client”

Adding the keystore password to the configuration

Edit the following file.

MS CA Proxy Installation\config\key-store-password.scrt

Set the following parameter:

decrypted=<STOREPASS>

Where <STOREPASS> is the password of the keystore described in Generating the keystore.

Adding the truststore password to the configuration

Edit the following file:

MS CA Proxy Installation\config\trust-store-password.scrt

Set the following parameter.

decrypted=<STOREPASS>

Where <STOREPASS> is the password of the keystore described in Generating the keystore.

Restarting CA Gateway

If the Entrust Proxy for Microsoft CA is running, execute the following command as an administrator to restart it.

MSCAProxy.exe restart