Click 
on the upper‑right corner of the page.
Click Certificate Authority > Use Certificate Authority Server.
Note: The Use Certificate Authority Server button appears only when configuring the certificate authority for the first time, or when the certificate is deleted.
Configure the server endpoints.
- CA Server—The Certificate Authority (CA) server that generates the printer certificates. You can select either of the following:
- OpenXPKI CA
- Microsoft CA- Enterprise
Note: User can also configure a CA server which supports the Enrollment over Secure Transport (EST) protocol.
- CA Server Address—The IP address or host name of your CA server. This field is only applicable for SCEP and EST protocols.
Note: Type any of the following:
- For MSCA server (using SCEP): <Server IP Address or Hostname>/certsrv/mscep/mscep.dll
- For OpenXPKI server (using SCEP): <Server IP Address or Hostname>/scep/scep
- For EST, type any of the following:
- https://172.87.95.240
- https://estserver.com
- estserver.com
- CA Server Label (Optional)— If the user creates a new realm, the same realm name must be put in this field.
- CEP Server Address— This field is only applicable for the MSCEWS protocol.
Note: Type any of the following:
- For Username and Password Authentication: https://democep.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
- For Windows Integrated Authentication: https://democep.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
- For Client Certificate Authentication: https://democep.com/ADPolicyProvider_CEP_Certificate/service.svc/CEP
- CA Server Hostname—The host name of your CA server.
Note: For example, for MSCEWS protocol, user may select democa.lexmark.com
- CES Server Hostname—The host name of your CES server.
Note: For example, for MSCEWS protocol, user may select democes.lexmark.com
- Challenge Password—Challenge Password is required to assert the identity of MVE to the CA server. This password is only required for OpenXPKI CA. It is not supported in Microsoft CA Enterprise.
Note: Depending on your CA server, you must configure the server authentication mode. Do either of the following:
- If you select EST protocol, then from the CA Server Authentication Mode menu, select any of the following:
- Username and Password Authentication
- Client Certificate Authentication
- If you select MSCEWS protocol, then from the CA Server Authentication Mode menu, select any of the following:
- Username and Password Authentication
- Client Certificate Authentication
- Windows Integrated Authentication
- SCEP protocol only supports the Challenge Password authentication mode.
Note: Depending on your CA server, see any of the sections:
Click Save Changes and Validate > OK.
Notes:
- The Discard Changes option only works if the changes are not yet saved or saved and validated.
- User cannot recover data from an invalid configuration as MVE does not store the last valid state of any configuration. MVE only stores one single certificate configuration at a time, which may or may not be valid.
Notes:
- The connection between MVE and the CA servers must be validated. During validation, MVE communicates with the CA server to download the certificate chain and the Certificate Revocation List (CRL). The enrollment agent certificate or test certificate is also generated. This certificate enables the CA server to trust MVE.
- You can select one or multiple CEP templates when using MSCEWS protocol. Do the following:
After clicking Save Changes and Validate, the CEP Template Selection window appears.
Select one or more from the available templates.
- The Use Certificate Authority Server dialog fetches the certificate revocation list.
- A dialog confirms that certificate validation is successful.
You can see the selected CEP templates in the CA server configuration page.
Note: When you enforce this configuration to any device, a certificate is created according to the selected template.
Navigate back to the System Configuration page, and then review the CA certificate.
Note: You can also download or delete the CA certificate.