After creating the certificate signing request (CSR) for the Certificate Enrollment Gateway certificate, you can submit the CSR to an Issuing CA in Entrust PKI as a Service. The Issuing CA will process the CSR and generate the certificate.

To submit the CSR to Entrust PKI as a Service and obtain the TLS certificate

  1. Log in the Entrust Certificate Services interface.
  2. Select Create > PKIaas.
    The Select Certificate Authority pane appears.
  3. From the Certificate Authority drop-down list, select the CA you want to issue the TLS certificate.
  4. From the Certificate Profile drop-down list, select the certificate profile you want to use for the TLS certificate. The certificate profile must include Digital Signature for TLS certificates.
  5. Click Next.
    The Certificate Details pane appears.
  6. In the Subject DN field, enter a value for the certificate's subject DN. The value should be the DNS name of the server hosting Entrust PKI Hub 1.0. For example, cn=example.com.
  7. For Certificate Expiry, provide an expiry date for TLS certificate. It is recommended that the TLS certificate be valid for 1 year or less.
  8. Under Subject Alternative Names, add one or more DNS Name components to the Subject Alternative Name (subjectAltName) extension in the certificate. The subjectAltName extension must have a DNS Name component for each DNS name that may be used by the Entrust PKI Hub 1.0 cluster.
    To add a DNS Name component the Subject Alternative Name extension:
    1. For SAN type, select DNS Name.
    2. In the Value field, enter a DNS name that may be used by the server.
    3. Click Add to add the DNS Name component to the Subject Alternative Name extension.
      The component is added to the list of components in the Subject Alternative Name extension
    4. To remove a component from the Subject Alternative Name extension, click Remove next to the extension that you want to remove.
  9. Copy the contents of the CSR you generated earlier, and paste the contents into the Certificate Signing Request (CSR) text box.
  10. Click Submit.
    If the certificate is generated successfully, a success message appears.
  11. Click Download the newly created certificate to download the TLS certificate.

After processing the CSR, proceed to Downloading the CA certificate chain from Entrust PKI as a Service.