By default, verification key pairs can only be generated by client applications of the CA. To enable PKCS #12 enrollment with client applications, verification keys must be server-generated – that is, keys generated by the CA.

To enable server-generated verification keys

1. Export the entmgr.ini file using the Entrust Certificate Authority Control Command Shell. 
2. Configure the following setting in the entmgr.ini file. 
   [policy]

   allowServerGenVerCert=true
3. Save and close the file.
4. Import the updated entmgr.ini file into the CA using the Entrust Certificate Authority Control Command Shell,