Follow

Info: Entrust Security Manager Certificate Authority Driver

Summary:

Entrust Security Manager is a pluggable certificate authority driver of Venafi Trust Protection Platform. The purpose of the driver is to request SSL Certificates from the Entrust Security Manager CA.

More Info:

NOTE For the most current information about Venafi CA and application drivers, visit docs.venafi.com and select your version of Trust Protection Platform.

Preparing the Director server for Entrust Security Manager:

Before configuring the Entrust Security Manager (ESM) CA Template object, you must install the Entrust Admin Toolkit Package (etadmintk6_1-windows) and the Enrollment Server for Web on the Director server.

Note: You can obtain the Entrust Admin Toolkit Package and the Enrollment Server for Web from Entrust.

To prepare a Director server for Entrust Security Manager:

  1. Extract and install the Entrust Admin Toolkit package.
  2. Copy the etadmintk.dll and enterr.dll from the Toolkit installation directory to the following directory: drive:\Program Files\Venafi\Externals
  3. Install the Entrust Enrollment Server for Web on the Director server. The Enrollment Server for Web works with Entrust Security Manager to issue certificates.

Important: The folder where you install the Enrollment Server for Web on the Director server is the path you type in the Enrollment Server Path field in the Entrust Security Manager CA configuration page.

 

Security Level Requirements for the EPF Administration Credential:

To retrieve certificate templates and post CSRs to the Entrust Security Manager CA, Director requires the credentials (that is, the EPF certificate and password) for an Administrator or First Officer account. If you do not want to use an Administrator or First Officer account, then you can use the EPF certificate for any administrator account that has a minimum of the following rights:

Audit Logs Policy OIDs
Bulk & Reports Queued Requests
Certificates Roles
Certification Authority (CA) Searchbase
Directory Security Policy
Groups User Templates
License Information Users

In order for Director to consume the EPF file, you must create a Generic Credential object in the Director administration console using the EPF certificate and password.

Important: This Generic Credential is required to configure the Entrust Security Manager CA Template object.

 

Create the 'Certificate Authority' object, as per this article:

Creating Certificate Authority Object KB

  

Complete the Entrust Security Manager CA object:

  1. General
    • Description - Create a description for the Entrust Security Manager object.
    • Contact - User or group identities to be assigned to this object. The default notifications are sent to these contacts.
  2. Connection
    • .INI File - Path to the entrust.ini file. This file is typically located on the Entrust Security Manager server at the following path: /opt/entrust/authdata/CA_Instance/manager/entrust/
    • EPF Credential - The credential required to retrieve template information and post CSRs to the Entrust Security Manager CA.The Generic Credential consists of an Entrust administrator account certificate - the EPF file - and the password required to use the certificate.
    • Searchbase - DN for the Entrust Security Manager searchbase.
    • Enrollment Server Path - Path where you installed the Enrollment Server for Web.
    • Path where you installed the Enrollment Server for Web.
    • Validate - Tests the selected EPF Credential to ensure Director can authenticate with the Entrust Security Manager CA.
  3. Options
    • Certificate Type - Supported Entrust Security Manager SSL certificate types for the current iteration of the Entrust Security Manager CA.
    • Create User in Directory - Automatically creates an user account in the Entrust searchbase for servers on which certificates are issued. The common name entered on the certificate is used as the account username.
  4. Validity Period
    • Supported Validity Periods (Years) - Lists the supported validity periods for the selected Product Name.
    • Available Validity Periods (Years) - Choose the validity period(s) that this object needs to support from the list of Supported Validity Periods on the right.
  5. Accounting
    • Total Web Licenses - Number of prepurchased certificate licenses.
    • Used Licenses - Number of prepurchased certificate licenses that have been used.
    • Available Licenses - Number of prepurchased certificate licenses that are available.
    • Licenses Alert - Threshold at which Director begins sending certificate license alert notifications. When the number of remaining licenses reaches this threshold, Director generates license alert events.

After filling out all of the entries, click on the 'Apply' button to save the settings.

 

Associating Entrust Security Manager CA object to a Certificate object:

Now either create a new certificate object or navigate to an existing certificate object. Select the ‘Settings’ tab and for ‘CA Template’ in the ‘Other Information’ section, choose the Entrust Security Manager CA object you just created above. Select the new ‘Entrust Security Manager’ tab that will appear on the tab panel above.

 Complete the remaining certificate specific Entrust Security Manager CA fields:

  1. Settings
    • Override Default Key Update Policy - Overrides the Entrust Security Manager CA’s private key update requirements. When this option is selected, Director uses the validity period defined in the Certificate object to set the key lifetimes instead of using the default key update policy defined for the Entrust user.
    • Validity Period – The amount of time, in years, this certificate will be issued for. This list show only the supported validity periods that were selected in the above created Entrust Security Manager CA object. This option is available only if you select Override Default Key Update Policy.

After filling out all of the entries, click on the 'Apply' button to save the settings.

Was this article helpful?
1 out of 1 found this helpful

Comments