Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage Certificate Authorities >
  3. Configure an Entrust managed PKI CA >
  4. Export an Entrust managed PKI CA trust chain

 

Export an Entrust Managed PKI CA trust chain

You must export a user's smart credential certificate authority to their Windows Domain if a user wants to use their smart credential for Windows Smart Card Logon (SCLO). The CA certificates exported from an Identity as a Service account are contained in a zip file. The zip file contains the following files:

 trustedca.certrustedca.cerThe root CA that should be loaded into the Windows Trusted CA of the user using their mobile Smart Credential to achieve smart card logon.  

intermediatecaX.caintermediatecaX.caThe intermediate certificates that should be loaded into the Windows Intermediate CA store of the appropriate users.

You can export the following CAs from Identity as a Service:

Restricted CA for Shared MSO CARestricted CA for Shared MSO CAExport this CA if the MSO Shared CA provided to you by Entrust is also being used by other users.

Normal Root CA for dedicated MSO CANormal Root CA for dedicated MSO CAExport this CA if the CA provided to you by Entrust is not being used by other users and is solely dedicated to your account.

See the Entrust Certificate Agent for Windows Smart Card Logon Integration Guide for more information about configuring a CA for SCLO.

Export the Entrust CA trust chain

Click > Resources > Certificate Authorities. The Certificate Authorities page appears.

Click for the CA you want to export. The Export CA Trust Chain dialog box appears.

Select the type of CA to export.

Select Restricted Trust Root CA for MSO Shared CAs if the CA is also being used by other users.

Select Normal Root CA for Dedicated CAs if the CA is dedicated to your account.

Optional: Select Replace Existing CA to force Identity as a Service to replace the existing Identity as a Service CA authority with a newly-generated one.

This option is available only if you select Restricted Trust Root CA for MSO Shared CA as the CA.

WARNING: Replacing your existing CA causes any previous certificates to be deleted. Any CA certificates previously loaded into the Windows Domain must be replaced with the newly-generated one if the existing CA is replaced on Identity as a Service.

Click Export to download the CA zip file.

Tip: If the certificate trust chain fails to download, check the Gateway password agent logs for errors. If there is nothing significant, check the Microsoft CA Proxy log.