Configure an Entrust PKIaaS CA
Entrust PKI as a Service (PKIaaS) is a certificate authority provided by Entrust that you can use as the CA used to issue smart credentials. There are two options available:
Embedded Entrust PKIaaS—Identity as a Service creates the CA for you on demand. One can only create one embedded Entrust PKIaaS CA.
Note: To add an Embedded PKIaaS CA, you must have Smart Login enabled. If it is not enabled for your account by your Service Provider, PKIaaS is not available.
External Entrust PKIaaS—You have an Entrust PKIaaS that you have purchased from Entrust and you want to use it as a certificate authority. You can create multiple external Entrust PKIaaS CAs.
Note: An external PKIaaS CA must support a smart card service profile and the Issuer CA must have OCSP enabled.
Configure an Embedded Entrust PKIaaS CAConfigure an Embedded Entrust PKIaaS CA
Click 
> Resources > Certificate Authorities. The Certificate Authorities page appears.
Click 
and select Entrust PKIaaS CA (Embedded) from the drop-down list. The Add Entrust PKIaaS Certificate Authority page appears.
Configure the CA Settings. This section contains the information needed to connect the CA with your Identity as a Service account.
Enter a Name for your certificate authority.
Attention: When you configure a PKIaaS CA in Identity as a Service, it creates a Root CA DN and Issuer CA DN. You need to specify the DNs for both CAs. The Root CA issues the issuing CA and the issuing CA issues certificates to your smart credentials.
Optionally, update the Root CA DN.
Example: cn=Root CA,o=My Company
Optionally, update the Issuer CA DN. The Issuer CN issues the smart credentials.
Example: cn=PKIaaS CA,o=My Company
Configure the Digital ID Configurations. The Digital ID configuration specifies the kind of certificates that will be generated on your smart credentials. The information you specify includes the following:
DN—the format of the DN of your certificate.
Certificate template—the kind of certificate you want the CA to issue. The template also specifies where to store the certificate on the smart credential. The smart credential has four containers that store certificates. If you have more than one certificate template, then the digital ID will have multiple certificates (key pairs) associated with it.
subjectAltName values that are encoded into the subjectAltName extension of the certificate.
For example, the default PIV CardHolder 1KP contains the following:
DN is cn=<first name> <last name> and includes the default search base for the CA.
One certificate template corresponding to the PIV Authentication container on the smart credential.
Several subjectAltNames including the user's email address and UPN.
By default, Entrust provides two digital ID configurations:
PIV Card Holder 1KP PIV Card (identifies the user)—Uses the idaas-piv-authentication certificate template.
PIV Card (identifies the card)—Uses the idaas-card-authentication certificate template.
Note: Smart credential push and Windows smart card login only require that your smart credential have a PIV Authentication certificate. That is the certificate provided by the PIV Card Holder 1KP digital ID configuration.
You can also create the following certificate templates for PKIaaS digital ID configurations.
idaas-piv-authentication (authentication)
idaas-card-authentication (authentication)
idaas-digital-signature (digital signature)
idaas-key-management (encryption)
Note: These names correspond to certificate templates defined in PKIaaS. The name you specify in Identity as a Service tells PKIaaS specifies the type of certificate to create for the digital ID. You may require more than one template depending on how you are using the smart credential.
To configure additional digital IDs:
Enter the Searchbase of the digital ID configuration.
Click Add. The Add Digital ID Configuration dialog box appears.
From the Configuration Template drop-down list, select the type of configuration template associated with the searchbase listed in your CA.
Click Add. The configuration appears in a list of Digital ID configurations.
Repeat steps b to d to add the remaining configuration templates.
From the PIV Content Signer Algorithm drop-down list, select the algorithm used by the PIV Content Signer to sign the contents of the smart credential..
Click Save. It takes a minute for Identity as a Service to create the CA. Once created, the CA appears in the Certificate Authorities list with a 
symbol because you have not yet created the PIV Content Signer.
Create the PIV Content Signer as follows:
On the Certificate Authorities page, click 
for your PKIaaS CA. The Create PIV Content Signer dialog box appears.
Optionally: Modify the PIV Content Signer DN if you want it to be different from the default provided.
Click OK to create the PIV Content Signer. The PIV Content Signer is added to the PKIaaS CA and the digital ID configurations that you created in step 5 are now read-write so that you can edit them. See Edit a PKIaaS CA for more information.
Click 
to test the PKIaaS CA. The PKIaaS CA Test Results dialog box appears.
Click OK to close the dialog box.
Configure an External Entrust PKIaaS CAConfigure an External Entrust PKIaaS CA
Click > Resources > Certificate Authorities. The Certificate Authorities page appears.
Click and select Entrust PKIaaS CA (External) from the drop-down list. The Add Entrust PKIaaS Certificate Authority page appears.
Configure the CA Settings. This section contains the information needed to connect the CA with your Identity as a Service account.
Enter a Name for your certificate authority.
Enter the CA ID. This is the ID of your Entrust PKIaaS CA.
Under the PKISaaS Credentials, do the following:
Enter the CA Gateway URL of the Entrust PKIaaS. You need to provide the information of the Issuer CA. You can find this information from where you created the CA.
Note: The Issuer CA must support OCSP to use smart credentials.
Click to upload the CA Gateway Credentials and browse to select the certificate file in .p12 format.
Enter the Password for the certificate file.
Click Save.
Configure the Digital ID Configurations. The Digital ID configuration specifies the kind of certificates that will be generated on your smart credentials. The information you specify includes the following:
DN—the format of the DN of your certificate.
Certificate template—the kind of certificate you want the CA to issue. The template also specifies where to store the certificate on the smart credential. The smart credential has four containers that store certificates. If you have more than one certificate template, then the digital ID will have multiple certificates (key pairs) associated with it.
subjectAltName values that are encoded into the subjectAltName extension of the certificate.
For example, the default PIV CardHolder 1KP contains the following:
DN is cn=<first name> <last name> and includes the default search base for the CA.
One certificate template corresponding to the PIV Authentication container on the smart credential.
Several subjectAltNames including the user's email address and UPN.
By default, Entrust provides two digital ID configurations:
PIV Card Holder 1KP PIV Card (identifies the user)—Uses the idaas-piv-authentication certificate template.
PIV Card (identifies the card)—Uses the idaas-card-authentication certificate template.
Note: Smart credential push and Windows smart card login only require that your smart credential have a PIV Authentication certificate. That is the certificate provided by the PIV Card Holder 1KP digital ID configuration.
You can also create the following certificate templates for PKIaaS digital ID configurations.
idaas-piv-authentication (authentication)
idaas-card-authentication (authentication)
idaas-digital-signature (digital signature)
idaas-key-management (encryption)
Note: These names correspond to certificate templates defined in PKIaaS. The name you specify in Identity as a Service tells PKIaaS specifies the type of certificate to create for the digital ID. You may require more than one template depending on how you are using the smart credential.
To configure additional digital IDs:
Enter the Searchbase of the digital ID configuration.
Click Add. The Add Digital ID Configuration dialog box appears.
From the Configuration Template drop-down list, select the type of configuration template associated with the searchbase listed in your CA.
Click Add. The configuration appears in a list of Digital ID configurations.
Repeat steps b to d to add the remaining configuration templates.
From the PIV Content Signer Algorithm drop-down list, select the algorithm used by the PIV Content Signer to sign the contents of the smart credential..
Click Save. It takes a minute for Identity as a Service to create the CA. Once created, the CA appears in the Certificate Authorities list with a 
symbol because you have not yet created the PIV Content Signer.
Create the PIV Content Signer as follows:
On the Certificate Authorities page, click 
next to the Entrust PKIaaS CA-External. The Create PIV Content Signer dialog box appears.
Optionally: Modify the PIV Content Signer DN if you want it to be different from the default provided.
Click OK to create the PIV Content Signer. The PIV Content Signer is added to the PKIaaS CA and the digital ID configurations that you created in step 5 are now read-write so that you can edit them. See Edit a PKIaaS CA for more information.
Click 
to test the Entrust PKIaaS CA. The Entrust PKIaaS CA Test Results dialog box appears.
Click OK to close the dialog box.