The Entrust Device Agent supports client authentication through a device certificate on both Windows and MacOS systems. The Entrust Device Agent receives a list of acceptable Certificate Authorities (CAs) from IDaaS, locates a local device certificate issued by one of these CAs, and forwards it to IDaaS to finalize the client authentication process.
On the IDaaS side, trusted CAs must be configured following the instructions outlined in Configure a Trusted CA.
Locally, certificates and CAs need to be configured.
The following is required to set up a valid device certificate to be used for IDaaS client authentication on Windows:
● The device certificate needs to have one of the following purposes for Extended Key Usage (2.5.29.37)
– Any Extended Key Usage (2.5.29.37.0)
– Client Authentication (1.3.6.1.5.5.7.3.2)
● The device certificate needs to have Digital Signature usage for Key Usage extension (2.5.29.15).
● The device certificate must be trusted on the computer. Hence, the certificate chain must be imported into the expected Windows certificate store.
● The issuer CA needs to be in the trusted CAs list of IDaaS.