Entrust CA Gateway

This AnyGateway implementation consumes the Entrust CA Gateway API to provide access to the Entrust Certificate Services, Entrust Authority Security Manager, and Entrust Managed PKI product lines.

Integration status: Production - Ready for use in production environments.

About the Keyfactor AnyCA Gateway DCOM Connector

This repository contains an AnyCA Gateway Connector, which is a plugin to the Keyfactor AnyGateway. AnyCA Gateway Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.

Support for Entrust CA Gateway

Entrust CA Gateway is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com

To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.

---

---

Keyfactor AnyCA Gateway Framework Supported

The Keyfactor gateway framework implements common logic shared across various gateway implementations and handles communication with Keyfactor Command. The gateway framework hosts gateway implementations or plugins that understand how to communicate with specific CAs. This allows you to integrate your third-party CAs with Keyfactor Command such that they behave in a manner similar to the CAs natively supported by Keyfactor Command.

This gateway extension was compiled against version 10.x.x of the AnyCA Gateway DCOM Framework. You will need at least this version of the framework Installed. If you have a later AnyGateway Framework Installed you will probably need to add binding redirects in the CAProxyServer.exe.config file to make things work properly.

Keyfactor CAGateway Install Guide

---

# Introduction The Entrust CA Gateway is a RESTful API platform that allows for the issuance, synchronization, and management of CA certificates backed by Entrust's Manged SSL service, public CA offering, and Microsoft CAs.

Prerequisites

Certificate Chain

In order to enroll for certificates the Keyfactor Command server must trust the trust chain. Once you create your Root and/or Subordinate CA, make sure to import the certificate chain into the Command Server certificate store

Install

• Download latest successful build from GitHub Releases

• Copy EntrustCAProxy.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory

• Update the CAProxyServer.config file

  • Update the CAConnection section to point at the EntrustCAProxy class

  <alias alias="CAConnector" type="Keyfactor.AnyGateway.Entrust.EntrustCAProxy, EntrustCAProxy"/>

Configuration

The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the AnyGateway.

Templates

The Template section will map the CA's SSL profile to an AD template. For private CAs there are no addtional parameters required. The ProductID can be found via an authenticated GET /v1/certificate-authorities/{caId}/profiles request to the ApiEndpoint. curl -X GET "https://cagw.yourcorp.com/cagw/v1/certificate-authorities/CA-Jupiter/profiles" -H "accept: application/json"

 "Templates": {
   "WebServer": {
     "ProductID": "f733787d-5649-4c74-b596-3a7f79b6172b",
     "Parameters": {
     }
  }
}

Security

The security section does not change specifically for the Entrust CA Gateway. Refer to the AnyGateway Documentation for more detail.

  /*Grant permissions on the CA to users or groups in the local domain.
	READ: Enumerate and read contents of certificates.
	ENROLL: Request certificates from the CA.
	OFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to "Issue and Manage" permission on the Microsoft CA.
	ADMINISTRATOR: Configure/reconfigure the gateway.
	Valid permission settings are "Allow", "None", and "Deny".*/
    "Security": {
        "Keyfactor\\Administrator": {
            "READ": "Allow",
            "ENROLL": "Allow",
            "OFFICER": "Allow",
            "ADMINISTRATOR": "Allow"
        },
        "Keyfactor\\gateway_test": {
            "READ": "Allow",
            "ENROLL": "Allow",
            "OFFICER": "Allow",
            "ADMINISTRATOR": "Allow"
        },		
        "Keyfactor\\SVC_TimerService": {
            "READ": "Allow",
            "ENROLL": "Allow",
            "OFFICER": "Allow",
            "ADMINISTRATOR": "None"
        },
        "Keyfactor\\SVC_AppPool": {
            "READ": "Allow",
            "ENROLL": "Allow",
            "OFFICER": "Allow",
            "ADMINISTRATOR": "Allow"
        }
    }

CerificateManagers

The Certificate Managers section is optional. If configured, all users or groups granted OFFICER permissions under the Security section must be configured for at least one Template and one Requester. Uses "" to specify all templates. Uses "Everyone" to specify all requesters. Valid permission values are "Allow" and "Deny".

  "CertificateManagers":{
		"DOMAIN\\Username":{
			"Templates":{
				"MyTemplateShortName":{
					"Requesters":{
						"Everyone":"Allow",
						"DOMAIN\\Groupname":"Deny"
					}
				},
				"<All>":{
					"Requesters":{
						"Everyone":"Allow"
					}
				}
			}
		}
	}

CAConnection

The CA Connection section will determine the API endpoint and configuration data used to connect to Entrust CA Gateway.

• ApiEndpoint This is the base address of the endpoint used by the Gateway to connect to the API.
• CAId This is the name of the CA configured within the Entrust CA Gateway that is being integrated with. This value can be found with an authenticated GET /v1/certificate-authorities request to the ApiEndpoint. curl -X GET "https://cagw.yourcorp.com/cagw/v1/certificate-authorities" -H "accept: application/json"
• ClientCertificate This section will determine which certificate is used by the AnyGateway to authenticate to the API. It will search the Windows Certficaite Store by Location and Thumbprint to find the correct certificate. The network service account must have access to the Certificate and Key Material for certificate authentication to work.
• TrackingMap The TrackingMap configuration parameters are required for Entrust Certificate Services (Public CA) and allows for configurable Enrollment Fields to be defined in Keyfactor Command. These fields must be defined on all templates to be issued from the ECS CA.

  "CAConnection": {
	"ApiEndpoint":"https://cagw.yourcorp.com/cagw/",
	"CAId":"CA-Jupiter",
	"ClientCertificate":{
		"StoreName":"My",
		"StoreLocation":"LocalMachine",
		"Thumbprint":"e53342b3af95c98884c3438a96eab0e9952fdb6d"
	},
    "TrackingMap":{
		"TrackingInfo":"TrackingInfo",
		"TrackingEmail":"TrackingEmail",
		"TrackingPhone":"TrackingPhone",
		"TrackingName":"TrackingName",
		"TrackingAdditonalEmails":"TrackingAdditonalEmails"
    }
  }

GatewayRegistration

There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail.

  "GatewayRegistration": {
    "LogicalName": "EntrustCASandbox",
    "GatewayCertificate": {
      "StoreName": "CA",
      "StoreLocation": "LocalMachine",
      "Thumbprint": "bc6d6b168ce5c08a690c15e03be596bbaa095ebf"
    }
  }

ServiceSettings

There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail.

  "ServiceSettings": {
    "ViewIdleMinutes": 8,
    "FullScanPeriodHours": 24,
	"PartialScanPeriodMinutes": 480 
  }