To configure the migration from an WSTEP on-premises Enrollment Gateway to an Entrust-hosted Enrollment Gateway, follow the steps under Automating Windows Auto Enrollment (WSTEP) with an Entrust-hosted Enrollment Gateway. See below for specific considerations on each section.
It is recommended to keep the on-premises WSTEP Enrollment Gateway running until the Entrust-hosted WSTEP Enrollment Gateway is fully deployed and integrated within the Microsoft Active Directory forest.
Section | Considerations for migrating an on-premises deployment |
---|---|
Determine the required number of PKIaaS Virtual Machines based on your current deployment. | |
Determine the networking requirements based on your current deployment. Make any necessary adjustment to the DNS server and the firewall rules. | |
You can skip this section as WSTEP is already configured for your on-premises deployment. | |
Repeat Creating a PKIaaS WSTEP Service Account for each root Active Directory in every Microsoft Active Directory forest. It is recommended to create a new service account for the Entrust-hosted WSTEP Enrollment Gateway to allow the existing on-premises WSTEP Enrollment Gateway to continue functioning until decommissioned. | |
You can skip Installing the default set of Microsoft Certificate Templates as the certificate templates should already exist for each Microsoft Active Directory forest. | |
Repeat Setting up LDAPS on domain controllers across the entire Microsoft Active Directory forest. In contrast, the on-premises WSTEP Enrollment Gateway requires LDAPS TLS certificates to be configured only on the root Active Directory domain controllers. | |
Complete all the steps. When Configuring an Active Directory in the agent, ensure the selected Certificate Authority matches the one used for the on-premises WSTEP Enrollment Gateway. | |
Do not reuse the Group Policy Object (GPO) of the on-premises WSTEP Enrollment Gateway. Instead, complete all the steps to:
This will allow rolling back the process, if needed. |
When completing these configuration steps, perform the following cleanup steps.
Cleaning up the Windows domain after migrating WSTEP to an Entrust-hosted Enrollment Gateway
Perform the follow steps in your Windows domain to complete the migration.
To clean up the Windows domain after migration
- Remove all Group Policy Objects (GPOs) for the on-premises WSTEP Enrollment Gateway
Run the following command to force a group policy update.
gpupdate /force
- In the root domains of the Microsoft Active Directory forests, delete the WSTEP Service account for the on-premises WSTEP Enrollment Gateway.
- Turn off the Microsoft servers with the Certificate Enrollment Policy (CEP) service. If these are virtual machines, you can delete them.
- Open the ADSI Edit console and remove the Enrollment Service for the on-premises WSTEP Enrollment Gateway.
Cleaning up Entrust Deployment Manager after migrating WSTEP to an Entrust-hosted Enrollment Gateway
The required cleanup operations on Entrust Deployment Manager vary depending on the following situations.
- The on-premises Entrust Enrollment Gateway runs other enrollment protocols such as ACME, MDM, Intune or SCEP.
- The Entrust Deployment Manager cluster hosts other solutions such as Certificate Hub or CA Gateway.
See the table below for the required cleanup actions to be performed on every Entrust Deployment Manager cluster.
Enrollment protocols | Other solutions | Cleanup actions |
---|---|---|
WSTEP | | Run the following command to delete the sudo kubectl delete namespace ceg This operation will keep the configuration and the license in case you need to redeploy. |
WSTEP | You can shut-down or delete the nodes of the Entrust Deployment Manager cluster. | |
WSTEP and other protocols | Do nothing. | |
WSTEP and other protocols | Do nothing. |