Installing the new 2017 Entrust Trust Chain
OS: Default Windows Server 2016 Datacenter Edition running on Amazon Web Services EC2 using Xen
Hypervisor.
State: New Server with all updates installed as of 2017-06-08
Audience: PKI Experts running and managing the Carequality and/or eHealth Exchange gateway.
Summary: This document includes step-by-step instructions on installing the new 2017 Entrust FBCA
Root and Intermediate certificate trust chain.
Below are screen shots of the default Windows truststores and keystores before making any changes.
All items with no screen shots are empty.
Steps to install the 2017 Entrust Intermediate and Root CA certificates:
Move the p7b file to the target server.
Compute the SHA-256 hash to confirm integrity of the p7b file.
Open the p7b file from windows cert manager
It should look similar to the following:
Note the error in the above figure indicating that the certificate cannot be verified. This status should
change as the result of the process described in this document.
Note the two errors in the above figure 1) the root of the trust chain shows an “x” error icon, and 2) the
associated description indicates that this certificate is not trusted. Both of these conditions should
change by the end of this process.
Export the certificate.
Now export the intermediate certificate in the same manner.
Note the error in the above dialog shows that this certificate cannot be verified. Later that status should
change.
Now import the new 2017 Entrust root cert into the root key store:
You should see one new cert in the Trusted Root Certification Authorities. In this case several other
certificates were also automatically added by Microsoft such as the “AddTrust External CA Root”
certificate. This is not germane to the current process.
Next import the Entrust 2017 intermediate certificate.
You should now see a new certificate called “Entrust NFI Medium Assurance SSP CA” as shown below.
Verification:
Select the new “Entrust NFI Medium Assurance SSP CA” and open it to inspect its properties.
Note above how the certificate no longer indicates an error about the verification path.
Note the certification path should be as shown above. Also note that the status indicates “This
certificate is OK” AND the red “x” icon next to the root CA cert is now showing normal status. If you see
additional, or different, then please consult with an authoritative expert on your PKI environment to
determine if the imported trust chain is appropriate for your environment.
Now open the new “Entrust Managed Services NFI Root CA” and inspect it to ensure it looks identical to
the following three shots.
Note that there are no errors displayed in the above figure.
Note the certification path should be as shown above. If you see additional, or different, then please
consult with an authoritative expert on your PKI environment to determine if the imported trust chain is
appropriate for your environment. Also notice the lack of errors.
<end of document>