2.10 Limitations

The following are known limitations with MyID's integration with an Entrust CA accessed through the Entrust CA Gateway:

• MyID has not been tested with Entrust CA policies that have been configured to support ECC keys and related signing algorithms; however, RSA 1024, 2048, 3072, and 4096 bit keys are supported on devices that support those key sizes.

• The Entrust CA Gateway API does not support directory certificate attributes.

• The Entrust DN tracking feature is not supported by the MyID Entrust Rest API connector.

• By default, the Entrust CA restricts certificate lifetime to a minimum period of seven days when the certificate is requested through the Entrust CA Gateway. The CA increases the lifetime to seven days if the request certificate lifetime is less than seven days. If you want to issue short lifetime certificates, you must configure the EnableShortCertValidity option within Entrust; see your Entrust documentation for details.

• The use of the Entrust CA default certificate lifetime feature is not currently supported.

• The rule for the generation of passcodes for protecting the certificate private key in a PKCS#12 response is not configurable. The rule exists so that the passcode meets the requirements stated in the documentation for Entrust CA application version 2.8.10+.

  The passcode generation rules are as follows:

  • When generating a passcode for requesting a certificate, the passcode must be exactly 16 characters long and contain at least one uppercase and one lowercase letter from the ISO basic Latin alphabet, one number, and one symbol.

  • When generating a passcode for requesting a key recovery, the passcode must be exactly 32 characters long and contain at least one uppercase and one lowercase letter from the ISO basic Latin alphabet, one number, and one symbol.

• MyID does not have direct access to the Entrust Administration Toolkit or the LDAP directory service when using the Entrust Gateway. Due to this, the connection does not support directly managing the Entrust CA user account or any attributes associated with those accounts.

  This may affect your ability to issue certificates where the user account is required to be created with a mandatory or custom attribute. Support for these attributes is outside of the control of MyID.

• Entrust does not support synchronized profiles when the profile contains a mandatory variable.

  If you attempt to issue a certificate, the logs may show errors containing text similar to the following:

  cagw-5501
  Unable to create user account in CA.
  The variable Interim Indicator: (interim_indicator) does not have a value defined. This variable is not defined as optional for certificate type piv_card_1kp.