Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

Follow the steps below to issue an OCSP responder VA certificate using the Certificate Authority solution provided by PKI Hub.

The Certificate Authorities solution provides built-in CRL and OCSP capabilities. Therefore, you do not need the Entrust Validation Authority to check the validity status of certificates issued by CA instances managed by the Certificate Authorities solution.

Creating a Certificate Authority to issue OCSP responder VA certificates

Follow the steps described in Starting up Certificate Authorities to create:

A root Certificate Authority.
An issuing Certificate Authority with at least one signature profile – for example, the wstep-digital-signature profile described in Active Directory (WSTEP) certificate profiles.

Creating a timestamping certificate request

Create a CA Gateway certificate enrollment request – for example:

{
  "csr": "MIIDVzCCAb8...",
  "profileId": "wstep-digital-signature",
  "requiredFormat": {
    "format": "X509"
  },
  "optionalCertificateRequestDetails": {
    "extensions": [
      {
        "oid": "2.5.29.37",
        "critical": true,
        "value": "MAoGCCsGAQUFBwMJ"
      }
    ],
    "validity_period": "2024-11-06T13:00Z/2026-07-06T13:00:00Z"
  }
}

See below for the values required by each request field.

Field	Line	Value
csr	2	The base64-encoded Certificate Signing Request previously generated in Generating a VA key pair as a single line.
extensions	8	The same fields and values as in the above example (to select the OCSP signing extended key usage).
validity_period	15	The validity period for the issued certificate. The expiry date in this period cannot exceed the expiry date of the issuing CA certificate.

Processing the timestamping certificate request

See below for processing the timestamping certificate request and obtaining the issued certificate.

To process the timestamping certificate request

Use a REST client to process the request as explained in Issuing certificates with a REST client.
Edit the REST response and copy the base64-encoded string in the body field.
Save the string in a file with the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters – for example:

-----BEGIN CERTIFICATE-----

MIIIcDCCBligAwIBAgITMwEf/Fvr7NDwanyeRAAAAR/8WzANBgkqhkiG9w0BAQwF

ADBdMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u

...

UdO85g==

-----END CERTIFICATE-----
Use this certificate file as the VA certificate when configuring the solution.