Entrust Authority: Enrollment Server for VPN

Get Technical

Supported Enrollment Protocols

  • PKCS#10
  • Simple Certificate Enrollment Protocol (SCEP), including support for automated enrollment and key update

Supported VPN Devices

  • Cisco
  • Nortel
  • Check Point

Supported Platforms

  • Microsoft® Windows® Server 2003

Compatible Products

  • Entrust® Authority™ Security Manager 7.0 or higher - required
  • Microsoft IIS 6.0 - optional for customers who wish to use an external web server to handle SCEP requests, rather than the internal HTTP listener provided with Enrollment Server for VPN

VPN digital ID enrollment options

Enrollment Server for VPN supports two methods of enrolling VPN device digital IDs:

  • Manual enrollment for PKCS #10-enabled and SCEP devices
    In this scenario:
    • for PKCS #10-enabled devices, the VPN device administrator manually forwards the PKCS #10 request to the Enrollment Server for VPN administrator, who processes the request and returns the certificate.
    • for SCEP devices, the certificate request is routed automatically to Enrollment Server for VPN and the administrator manually approves SCEP requests when they come in.
  • Auto-enrollment for SCEP devices
    In this scenario, the certificate request is routed automatically to Enrollment Server for VPN. The request is processed and the certificate returned without intervention from administrators.

Configuring Enrollment Server for VPN to use auto-enrollment can eliminate the need for an administrator to authenticate each SCEP device manually when he or she receives an enrollment request. To use auto-enrollment, SCEP device administrators send enrollment requests that contain a challenge password (which the Enrollment Server for VPN administrator securely communicated to them) to Enrollment Server for VPN. The challenge password is validated by the auto-enrollment authorization library.

Enrollment Server for VPN components

Enrollment Server for VPN consists of:
  • an interface that administrators can use to configure various options, enrollVPN devices, and revoke certificates
    This interface requires administrators to log in using their digital IDs.
  • an internal Web server that can accept SCEP certificate requests over HTTP
    You can choose to use an external Web server instead.
  • a Windows service component that enables automatic enrollment of SCEP devices without administrator intervention

The service requires a digital ID to secure the data between Enrollment Server for VPN and Entrust Authority Security Manager. This digital ID is used when processing SCEP requests.