To configure the migration from an WSTEP on-premises Enrollment Gateway to an Entrust-hosted Enrollment Gateway, follow the steps under Automating Windows Auto Enrollment (WSTEP) with an Entrust-hosted Enrollment Gateway. See below for specific considerations on each section.

It is recommended to keep the on-premises WSTEP Enrollment Gateway running until the Entrust-hosted WSTEP Enrollment Gateway is fully deployed and integrated within the Microsoft Active Directory forest.

Section

Considerations for migrating an on-premises deployment

Planning your WSTEP deployment

Determine the required number of PKIaaS Virtual Machines based on your current deployment.

WSTEP enrollment requirements

Determine the networking requirements based on your current deployment. Make any necessary adjustment to the DNS server and the firewall rules.

Configuring an Entrust PKIaaS issuing CA for WSTEP

You can skip this section as WSTEP is already configured for your on-premises deployment. 

Preparing the Active Directory forest for WSTEP

Repeat Creating a PKIaaS WSTEP Service Account for each root Active Directory in every Microsoft Active Directory forest. It is recommended to create a new service account for the Entrust-hosted WSTEP Enrollment Gateway to allow the existing on-premises WSTEP Enrollment Gateway to continue functioning until decommissioned.

You can skip Installing the default set of Microsoft Certificate Templates as the certificate templates should already exist for each Microsoft Active Directory forest.

Repeat Setting up LDAPS on domain controllers across the entire Microsoft Active Directory forest. In contrast, the on-premises WSTEP Enrollment Gateway requires LDAPS TLS certificates to be configured only on the root Active Directory domain controllers.

Configuring PKIaaS Virtual Machines on the PKIaaS portal

Complete all the steps. When Configuring an Active Directory in the agent, ensure the selected Certificate Authority matches the one used for the on-premises WSTEP Enrollment Gateway.

Enabling WSTEP for users and devices

Do not reuse the Group Policy Object (GPO) of the on-premises WSTEP Enrollment Gateway. Instead, complete all the steps to:

  1. Create a new GPO.
  2. Apply the GPO to single a test user.
  3. Complete the migration testing.
  4. Apply the GPO across the entire forest.
  5. Unlink the the existing GPO for the on-premises WSTEP Enrollment Gateway.

This will allow rolling back the process, if needed.

When completing these configuration steps, perform the following cleanup steps.

Cleaning up the Windows domain after migrating WSTEP to an Entrust-hosted Enrollment Gateway

Perform the follow steps in your Windows domain to complete the migration.

To clean up the Windows domain after migration

  1. Remove all Group Policy Objects (GPOs) for the on-premises WSTEP Enrollment Gateway
  2. Run the following command to force a group policy update. 

    gpupdate /force 
  3. In the root domains of the Microsoft Active Directory forests, delete the WSTEP Service account for the on-premises WSTEP Enrollment Gateway.
  4. Turn off the Microsoft servers with the Certificate Enrollment Policy (CEP) service. If these are virtual machines, you can delete them.
  5. Open the ADSI Edit console and remove the Enrollment Service for the on-premises WSTEP Enrollment Gateway.

Cleaning up Entrust Deployment Manager after migrating WSTEP to an Entrust-hosted Enrollment Gateway

The required cleanup operations on Entrust Deployment Manager vary depending on the following situations.

  • The on-premises Entrust Enrollment Gateway runs other enrollment protocols such as ACME, MDM, Intune or SCEP.
  • The Entrust Deployment Manager cluster hosts other solutions such as Certificate Hub or CA Gateway.

See the table below for the required cleanup actions to be performed on every Entrust Deployment Manager cluster.

Enrollment protocols

Other solutions

Cleanup actions

WSTEP

(tick)

Run the following command to delete the ceg namespace from Entrust Deployment Manager.

sudo kubectl delete namespace ceg

This operation will keep the configuration and the license in case you need to redeploy.

WSTEP

(error)

You can shut-down or delete the nodes of the Entrust Deployment Manager cluster.

WSTEP and other protocols

(tick)

Do nothing.

WSTEP and other protocols

(error)

Do nothing.