>
Resources
> Certificate Authorities.
The Certificate Authorities
page appears.
This procedure outlines how to configure an Entrust Managed PKI. Before you begin, obtain a certificate file from Entrust. You need the .EPF file when you configure the CA in Identity as a Service. You need both an XAP EPF and a PIV EPF.
Configure an Entrust Managed PKI CA
1. Click
>
Resources
> Certificate Authorities.
The Certificate Authorities
page appears.
2. Click Issuing Certificate Authority and then select Entrust Managed PKI CA from the drop-down list.
3. Configure the Connection Settings. This section contains the information needed to connect the CA with your Identity as a Service account.
a. Enter a Name for your certificate authority.
b. In the PKI Host field enter the fully qualified domain name of the computer hosting the PKI.
c. Enter the PKI CMP Port number of the host running the PKI CMP service. This is the port used to request certificate information. The default is 829.
d. Enter the XAP Port number of the host running the XAP service. All CAs on Identity as a Service must connect to an XAP service to perform administrative operations. The default is 1443.
Note: XAP is used for administrative operations, such as modeling a user in the CA and setting them up for a digital ID creation or recovery.
e. Click 
and select the .epf capable of performing
XAP operations. The
XAP EPF contains administrative credentials for the CA being created.
f. Enter the XAP EPF Password.
4. Configure the PIV Content Signer Settings for the certificate authority. These settings define how the smart credential PIV applet information is signed by the CA.
a. The default PIV Content Signer Algorithm type is RSA RECOMMENDED NO SHA224. Do not change this setting unless you are sure of the setting you need, and why you need it.
b. If the managed CA is used to issue PIV smart
credentials, click and navigate to the
.epf of an administrator capable of performing PIV signing
operations.
c. Enter the PIV EPF Password.
The PIV Content Signer DN is entered automatically after you upload the certificate.
5. Configure the LDAP Configuration settings. The LDAP configuration settings contain information required to access the certificate revocation list (CRL). The CRL is checked by Identity as a Service at every log in attempt to confirm that the certificate being used has not been revoked.
a. In the LDAP Host field, enter the fully qualified host name of the computer hosting the LDAP directory.
b. In the LDAP Port field, enter the LDAP port number used to connect to the LDAP directory.
c. Click Use SSL to secure your LDAP directory (LDAPS) and optionally, enter your directory Username and Password. The credentials should be the account that only has read only access to the underlying Active Directory.
6. Configure the Other Settings, as required:
a. Select Immediately Publish CRL Upon Revocation if you want to immediately publish a new CRL immediately after an operation. If deselected, the CRL publishes every 24 hours.
b. The Revocation Cache Timeout (min) is the number of minutes Identity as a Service should cache the revocation information of a CA before refreshing the information. The default is 120 minutes.
c. Select Skip Revocation If CA Not Available to allow Identity as a Service to delete or disable a smart credential if revocation fails. If deselected, the delete or disable operation fails if certificate revocation fails.
d. Select Use as a Trusted CA for Device Verification to use this CA as a trusted CA for device verification.
7. Configure the Digital ID Configurations as follows:
a. Enter the Searchbase of the digital ID configuration. The searchbase value is listed in the CA you downloaded from Entrust.
b. Click Add. The Add Digital ID Configuration dialog box appears.
c. From the Configuration Template drop-down list, select the type of configuration template associated with the searchbase listed in your CA. The template associated with the searchbase is also listed in the CA you downloaded from Entrust.
Note: You may require more than one template depending on how you are using the smart credential.
For smart credential push authentication, you require the following configuration templates. You must add each one individually.
– PIV Card (identifies the card)
– PIV Cardholder (identifies the user)
d. Click Add. The configuration appears in a list of Digital ID configurations.
e. Repeat steps b to d to add the remaining configuration templates.
8. Click Save. The CA appears on the Certificate Authorities page.
Edit or Delete the CA
If you need to make changes to the CA, you can edit it as follows:
1. On the Certificate Authorities page, click
the Name of the CA. The Edit
Certificate Authorities page appears.
2. Using the information in the procedure to configure a CA, edit the CA
as required and click Save.
To delete a CA, click 
next the CA you want to delete
and click Delete on the confirmation prompt.