Entrust Certificate Services PKI

Prerequisites

  • A technical account should be created to be used with the API.

  • This technical account must have permissions to enroll and revoke SSL certificates on the desired certificate profiles (superadmin role).

Limitations

  • Only the following fields are managed: commonName (as cn, for SMIME certs), contactEmail (as requester email address), OU (only one) and subjectAltName DNS (for SSL certs) and RFC822Name (for SMIME).

  • For multi-valued fields (SAN DNS), if more data items are provided than configured in ECS for the given certificate type, the exceeding items will be ignored.

  • All limitations induced by the use of the ECS REST Connector.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI > PKI Connectors.

3. Click on Add HTTP Proxy.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • Queue PKI (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be in valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • Technical account API login* (string input):
    Enter the login of the technical account API.

  • Technical account API password* (string input):
    Enter the password of the technical account API.

  • Certificate Type (select):
    Select the Certificate Type to issue.

  • Requester’s default email* (string input):
    Enter the requester default email address.

  • Requester’s name (string input):
    Enter the requester name to register.

  • Requester’s phone (string input):
    Enter the requester phone to register.

  • Certificate lifetime (finite duration): Enter Certificate lifetime, in days. For SMIME_ENT it is the number of years. The default value is set to 90 days.

  • Client ID (int):
    Enter Client ID. The default value is set to 1.

9. Click on the next button.

Authentication tab

10. Fill in the PKI-authentication fields:

  • Authentication PKCS#12* (import p12):
    Import the PKCS#12 file containing the authentication certificate used to connect to the PKI.

  • PKCS#12 Password* (string input):
    Enter the password used to secure the aforementioned PKCS#12.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the Entrust Certificate Services PKI connector.