For Entrust WSTEP to work alongside an existing Microsoft CA, you must change the Enrollment Policy ID to something unique. You can perform this operation using either PowerShell or the Windows graphical interface.

Assigning a unique Enrollment Policy Identifier with PowerShell

See below for assigning a policy identifier with the Windows PowerShell command-line shell 

To assign a unique Enrollment Policy Identifier using PowerShell

  1. Log in to the server hosting the Certificate Enrollment Policy Web Service.
  2. Open an elevated PowerShell window. Select Start > Windows PowerShell, then right-click Windows PowerShell > Run as administrator.

  3. Generate a unique identifier with the following command.

    [guid]::NewGuid()

    For example:

    PS C:\> [guid]::NewGuid()
    Guid
    ----
    1c84d0f5-0eb4-4189-9e8d-a02b5d4079bd

  4. Set the new identifier. For example:

    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/Default Web Site/ADPolicyProvider_CEP_UsernamePassword" -filter "appSettings/add[@key='ID']" -name "value" -value "1c84d0f5-0eb4-4189-9e8d-a02b5d4079bd"

Assigning a unique Enrollment Policy Identifier with the Windows graphical interface

See below for assigning a policy identifier with the Windows graphical interface tools.

To assign a unique Enrollment Policy Identifier using the Windows graphical interface

  1. Log in to the server hosting the Certificate Enrollment Policy Web Service.
  2. Open IIS Manager. Select Start > Windows Administrative Tools > Internet Information Services (IIS) Manager.
    The Internet Information Services (IIS) Manager dialog box appears. 
  3. In the Connections pane, expand Sites > Default Web Site.
  4. Select the name of the Certificate Enrollment Policy Web Service application.
    • If you configured user name and password authentication for the Certificate Enrollment Policy Web Service, the identifier is ADPolicyProvider_CEP_UsernamePassword.
    • If you configured Kerberos (Windows integrated) authentication for the Certificate Enrollment Policy Web Service, the identifier is ADPolicyProvider_CEP_Kerberos.

  5. If Application Settings is not available in the Features pane, run the following PowerShell command to install IIS Compatibility:

    PS C:\>Add-WindowsFeature -Name Web-Mgmt-Compat
  6. In the Features pane, double-click Application Settings. The Application Settings pane appears. 
  7. In the Application Settings pane, double-click on ID. The Edit Application Setting dialog box appears. 
  8. In the Value field of the Edit Application Setting dialog box, enter a unique identifier.
  9. Click OK.
  10. Restart IIS.
  11. If you already added the Certificate Enrollment Policy to the group policy, remove the group policy's service and add it again to use the new identifier.