This integration allows for the Synchronization, Enrollment, and Revocation of certificates from Entrust.
This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority.
This AnyGateway plug-in enables issuance, revocation, and synchronization of certificates from Entrust's Managed SSL/TLS offering.
Entrust API now supports two methods of authentication:
- Basic Auth only
- Basic Auth + Certificate Auth
When creating your API user name and password in the Entrust portal, you will be given the option to select a certificate to go with it. If you do select a certificate, then the gateway will require that certificate information to connect. Otherwise, do not provide ClientCertificate information to the gateway.
The Entrust AnyGateway requires the Keyfactor AnyGateway v21.5.1 or newer
Migrating to the Entrust AnyGateway plugin from a previous version of the standalone Entrust Gateway.
If you are upgrading from an older version of the Entrust gateway that still used the GUI configuration wizard (20.1.x or earlier), you first have to do an upgrade to EntrustCAProxy version 21.x to migrate your database to SQL. After doing that upgrade, follow the below steps to migrate from 21.x to the current version.
-
IMPORTANT CONFIG CHANGE: 21.9 and earlier pulled certificate EKU information from the templates. That information is now provided in the config file. See the below section on Templates, and make sure to add the CertificateUsage parameter to any public SSL types in your config.
-
Before doing any upgrade, run the following PowerShell command: reg export "HKLM\Software\Keyfactor\Keyfactor CA Gateway" C:\EntrustGatewayBackup.reg
-
After backing up the registry key, completely uninstall the old version of the Entrust CA Gateway
-
Follow the instructions to install the AnyGateway product and update the CAProxyServer.config file, but do not do any further configuration yet
-
Run the following PowerShell command: reg import C:\EntrustGatewayBackup.reg
-
Continue with the gateway configuration, but do NOT run the Set-KeyfactorGatewayEncryptionCert or the Set-KeyfactorGatewayDatabaseConnection cmdlets, as those values were the ones persisted in the registry backup.
This is a one-time process as the Entrust gateway moves fully to the Keyfactor AnyGateway model. Future upgrades will not require this process.
In order to enroll for certificates the Keyfactor Command server must trust the trust chain. Once you create your Root and/or Subordinate CA, make sure to import the certificate chain into the AnyGateway and Command Server certificate store
-
Download latest successful build from GitHub Releases
-
Copy EntrustCAProxy.dll to the Program Files\Keyfactor\Keyfactor AnyGateway directory
-
Update the CAProxyServer.config file
- Update the CAConnection section to point at the EntrustCAProxy class
<alias alias="CAConnector" type="Keyfactor.Extensions.AnyGateway.Entrust.EntrustCAConnector, EntrustCAProxy"/>
The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the AnyGateway.
The Template section will map the CA's products to an AD template. Available ProductIDs will depend on your Entrust account's inventory The Lifetime parameter is optional and represents the certificate duration in months. If not provided, default is 12 months. The CertificateUsage parameter is REQUIRED for public SSL certificate types, and represents the key usage for the certificates enrolled against this template. Valid values are "server", "client", or "serverclient". Do not provide this value for cert types that are not public SSL.
"Templates": {
"WebServer": {
"ProductID": "STANDARD_SSL",
"Parameters": {
"Lifetime":"12",
"CertificateUsage":"server"
}
}
}The following product codes are supported:
- STANDARD_SSL
- ADVANTAGE_SSL
- UC_SSL
- EV_SSL
- QWAC_SSL
- PSD2_SSL
- WILDCARD_SSL
- PRIVATE_SSL
- PD_SSL
- CODE_SIGNING
- EV_CODE_SIGNING
- CDS_INDIVIDUAL
- CDS_GROUP
- CDS_ENT_LITE
- CDS_ENT_PRO
- SMIME_ENT
The security section does not change specifically for the Entrust Gateway. Refer to the AnyGateway Documentation for more detail.
/*Grant permissions on the CA to users or groups in the local domain.
READ: Enumerate and read contents of certificates.
ENROLL: Request certificates from the CA.
OFFICER: Perform certificate functions such as issuance and revocation. This is equivalent to "Issue and Manage" permission on the Microsoft CA.
ADMINISTRATOR: Configure/reconfigure the gateway.
Valid permission settings are "Allow", "None", and "Deny".*/
"Security": {
"Keyfactor\\Administrator": {
"READ": "Allow",
"ENROLL": "Allow",
"OFFICER": "Allow",
"ADMINISTRATOR": "Allow"
},
"Keyfactor\\gateway_test": {
"READ": "Allow",
"ENROLL": "Allow",
"OFFICER": "Allow",
"ADMINISTRATOR": "Allow"
},
"Keyfactor\\SVC_TimerService": {
"READ": "Allow",
"ENROLL": "Allow",
"OFFICER": "Allow",
"ADMINISTRATOR": "None"
},
"Keyfactor\\SVC_AppPool": {
"READ": "Allow",
"ENROLL": "Allow",
"OFFICER": "Allow",
"ADMINISTRATOR": "Allow"
}
}The Certificate Managers section is optional. If configured, all users or groups granted OFFICER permissions under the Security section must be configured for at least one Template and one Requester. Uses "" to specify all templates. Uses "Everyone" to specify all requesters. Valid permission values are "Allow" and "Deny".
"CertificateManagers":{
"DOMAIN\\Username":{
"Templates":{
"MyTemplateShortName":{
"Requesters":{
"Everyone":"Allow",
"DOMAIN\\Groupname":"Deny"
}
},
"<All>":{
"Requesters":{
"Everyone":"Allow"
}
}
}
}
}The CA Connection section will determine the API endpoint and configuration data used to connect to Entrust CA Gateway.
AuthUsernameThis is the username for the gateway to use to authenticate to EntrustAuthPasswordThis is the password for the account the gateway should use to authenticate to EntrustClientCertificate(OPTIONAL) The location and thumbprint of the client authentication certificate to use to connect to EntrustNameThe default requester name.EmailThe default requester email address.PhoneNumberThe default requester phone numberIgnoreExpired(OPTIONAL) If set to true, will not sync expired certs from the Entrust account.
"CAConnection": {
"AuthUsername":"exampleUser",
"AuthPassword":"samplePassword",
"ClientCertificate": {
"StoreName": "My",
"StoreLocation": "LocalMachine",
"Thumbprint": "0123456789abcdef"
},
"Name": "TestUser",
"Email": "email@email.invalid",
"PhoneNumber": "0000000000",
"IgnoreExpired": "false"
},There are no specific Changes for the GatewayRegistration section. Refer to the AnyGateway Documentation for more detail.
"GatewayRegistration": {
"LogicalName": "EntrustCASandbox",
"GatewayCertificate": {
"StoreName": "CA",
"StoreLocation": "LocalMachine",
"Thumbprint": "0123456789abcdef"
}
}There are no specific Changes for the ServiceSettings section. Refer to the AnyGateway Documentation for more detail.
"ServiceSettings": {
"ViewIdleMinutes": 8,
"FullScanPeriodHours": 24,
"PartialScanPeriodMinutes": 240
}