Configuring Enrollment Settings

The enrollment settings must be configured by creating a configuration profile for certificate enrollment and for assigning it to hosts. There is no need to separately deploy the enrollment settings.

Host certificate enrollment settings can be created in Configurations → Edit Configurations under the PKI tab, Enrollment settings folder.

Enrolling certificates

Figure 9.7. Enrolling certificates

The following information must be specified:

  • The PKI settings used for enrolling the certificates. The preconfigured Internal Root CA is recommended.

  • Parameters for the keys to be generated: key type and length.

  • The subject name used in the certificate enrollment request. The subject name must be specified in the DN (Distinguished Name) notation. The default value works well in most cases. The following variables can be used within the subject name:

    • %IP_ADDRESS%, substituted with the IP address of the host.

    • %IP_ADDRESS_LIST%, substituted with all of the IP addresses of that host. Usable only in subject altName part (as in IP=%IP_ADDRESS_LIST%), not in the actual subject name.

    • %DNS_NAME%, substituted with the DNS name (fully qualified host name) of the host.

    • %DNS_NAME_LIST%, substituted with all of the DNS names of that host. Usable only in subject altName part (as in IP=%DNS_NAME_LIST%), not in the actual subject name.

    • %HOST_NAME%, substituted with the short host name (DNS name without the domain part).

    • %REFERENCE_NUMBER%, reference number of allocated authorization code for the host. Only needed in Entrust Web Enrollment.

    The subject name field is mostly parsed as a Distinguished Name (DN). However, additional semicolon-separated fields DNS and IP can be used to specify subject alternative names for a request (see example below). Note that this means that a colon has to be used to separate RDNs in the DN. The default value for subject name field is CN=%DNS_NAME%;DNS=%DNS_NAME_LIST%;IP=%IP_ADDRESS_LIST%. For example, this will add multiple subject alternative name DNS entries to the host certificate if the host has reported aliases.

  • Select whether FQDN is required or not. If FQDN required is selected the managed host has to have a fully qualified domain name, which is used in the subject name field so that it will be added as a name in the host certificate. If FQDN is not required, an IP address in certificate will be sufficient. Without FQDN the server authentication in the Secure Shell client will be restricted to connections with explicit IP addresses.