Entrust provides an InstallEnrollmentService.ps1 PowerShell script that allows you to create, edit, and remove enrollment services in Active Directory. When editing an enrollment service in Active Directory, you can update the enrollment URLs assigned to the enrollment service. When updating the enrollment URLs assigned to an enrollment service, you can:

• List all the enrollment URLs that are assigned to the enrollment service.
• Add an enrollment URL to the enrollment service.
• Remove one or all enrollment URLs from the enrollment service.

To run the script, you must use a Windows user account with Domain Admin and Enterprise Admin permissions.

To update the enrollment URLs for an enrollment service using the InstallEnrollmentService.ps1 script

1. Open an elevated PowerShell window. Select Start > Windows PowerShell, then right-click Windows PowerShell > Run as administrator.
2. Navigate to the directory where you extracted the PowerShell scripts.

3. Enter the following command to run the InstallEnrollmentService.ps1 script:

   .\InstallEnrollmentService.ps1

   The script validates the prerequisites and installs any missing Windows packages or features. For example:

   The PowerShell script was tested on specific versions of PowerShell. When validating the prerequisites, the PowerShell version my be listed as Unverified, an "Unverified" version of PowerShell indicates that the script was not tested on that version of PowerShell. You can still use the script on an "Unverified" version of PowerShell.

   Validating pre-requisites:

   Script-Mode: Windows

   Script Version: 1.5.1.19

   - Member of Domain: Verified

   - Domain Admins privileges: Verified

   - Enterprise Admins privileges: Verified

   - Windows Version: Verified (Microsoft Windows NT 10.0.17763.0)

   - PowerShell Version: Verified (5.1.17763.2931)

    

   ------------------------------------------------------------

   Validating ldifde is installed.

    

   ldifde.exe is installed.

    

   Validating Windows Feature RSAT-ADCS-Mgmt is installed

   Installing RSAT-ADCS-Mgmt

4. The script prompts you to select a management option:

   Entrust Enrollment Service PowerShell

    

   Using this PowerShell script, Enrollments servers can be created, removed

   and Edited.

    

   Please select from the following options to continue :

   [N] New Service [E] Edit Service [Q] Quit [?] Help (default is "N"):

   Enter E to edit an existing enrollment service.

5. If more than one enrollment service is defined in Active Directory, the script displays the list of enrollment services and asks you to select one of the enrollment services:

   Select from the following List of defined Enrollment Services :

    

   Index Enrollment Service Name

   ----- -----------------------

   1 CEG WSTEP

   2 Entrust WSTEP

    

    

   Please select the Index to select an Enrollment Service. 0 to quit.:

   Enter the number associated with the enrollment service you want to edit. If only one enrollment service exists, that service is automatically selected by the script.

6. The script displays the currently-selected enrollment service, and prompts you to choose from a list of options:

   Currently Selected Enrollment Service : Entrust WSTEP

    

   Choose from the following Options:

   [E] Edit [R] Remove [P] Previous [?] Help (default is "E"):

   Enter E to edit the selected service.

7. The script prompts you to select an edit option:

   Updating Enrollment Service : Entrust WSTEP

    

   Menu to select between:

   Updating the Enrollment Service URL(s)

   Updating the Security Groups for the Enrollment Service.

    

   Choose from the following Options:

   [U] Update URL(s) [S] Update Security Group(s) [P] Previous [?] Help (default is "U"):

   Enter U to update the enrollment URLs.

8. The script asks you to select an update option:

   Editing the URL(s) for Enrollment Service : Entrust WSTEP

    

   Choose from the following Options:

   [A] Add URL [D] Delete URL [L] List URL [P] Previous [?] Help (default is "L"):
   • To list all enrollment URLs for the enrollment service, enter L.
   • To delete an enrollment URL from the enrollment service, enter D.
   • To add an enrollment URL to the enrollment service, enter A.

9. If you chose to list the enrollment URLs for the enrollment service, the script displays information about each enrollment URL for the enrollment service. For example:

   Enrollment Service Name : Entrust WSTEP

    

   Priority : 1

   Auth Type : UserName

   Renewal Only : 0

   URL : https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

   For each URL, the script displays the following information:

   • Priority displays the priority of the enrollment server. If multiple enrollment servers are defined, then the priority determines which enrollment server is preferred.
   • Auth Type displays the authentication type, either UserName for user name and password authentication, or Kerberos for Kerberos authentication (integrated Windows authentication).

   • Renewal Only indicates if the enrollment URL is for certificate renewal only.
     0 indicates that the enrollment URL is for both certificate enrollment and renewal.

     1 indicates that the enrollment URL is for certificate renewal only.
   • URL displays the enrollment URL.
10. If you chose to delete an enrollment URL from the enrollment service:
    

    1. The script displays a list of enrollment URLs and asks you to select which URL to remove:

       Selected Enrollment Service Name : Entrust WSTEP

        

       Retrieving URl(s) from AD.

        

       Index URL

       ----- ------------------------------------------------------------------

       1 https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

       Select the URL to remove. -1 to remove all, 0 to quit.:

       • To remove a specific enrollment URL, enter the number associated with the URL in the list.

       • To remove all enrollment URLs, enter -1.

       • To go back without removing any enrollment URLs, enter 0.

    2. The script asks you to confirm the removal of the URL or URLs. For example:

       https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1 is slated to be removed

       Continue with removal of URL (y/n)?:

       • To confirm that you want remove the URL, enter y.

       • To cancel the removal, enter n.

11. If you chose to add an enrollment URL to the enrollment service, the script asks if you want to configure an enrollment URL for user name and password authentication:

    Configure UserName Enrollment URL ? (y/n):
    • To configure an enrollment URL for user name and password authentication, enter y.
    • To skip configuring an enrollment URL for user name and password authentication, enter n.
12. If you chose to add an enrollment URL for user name and password authentication:

    1. The script prompts you to enter an enrollment URL:

       Please enter the Enrollment Server URL :

       Enter the enrollment URL using the following format:

       https://<CEG-server>:443/wstep/usertoken/services/<tenant-ID>/<CA-ID>

       Where:

       • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.

       • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.

       • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

       For example:

       https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

    2. The script prompts you to specify the priority of the enrollment server:

       The URI for the enrollment server which has the lowest priority number as defined in the enrollment policy. If two enrollment servers have the same priority then

       a. The URI with the following authentication type is preferred in order:

       Kerberos, Anonymous, Username/Password cached in the vault or

       Client Auth Certificate cached in the vault, Username/Password or

       Client Auth Certificate.

       b. If all properties are equal then a URI is randomly selected.

        

       Please enter the Priority of this Enrollment URL [Default : 1]:

       If multiple enrollment servers are defined, then the priority determines which enrollment server is preferred. Enter the priority for the enrollment server.

    3. The script asks if the URL will be used for certificate renewal only:

       Will this URL be used for Renewal ONLY ? (y/n):

       • If the enrollment URL is for certificate renewal only, enter y.

       • If the enrollment URL is for certificate enrollment and renewal, enter n.

    4. The script displays information about the enrollment URL and asks if you want to continue:

       Enrollment Service : Entrust WSTEP

       Authentication Type : UserName

       Enrollment URL : https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

       Priority : 1

       Modifiers :

       Continue with above settings? (y/n):

       • To continue and add the enrollment URL, enter y.

       • To go back and re-enter information about the enrollment URL, enter n.

13. If you chose to add an enrollment URL to the enrollment service, the script asks if you want to configure an enrollment URL for Kerberos (Windows integrated) authentication:

    Configure Kerberos Enrollment URL ? (y/n):
    • To configure an enrollment URL for Kerberos authentication, enter y.
    • To skip configuring an enrollment URL for Kerberos authentication, enter n.
14. If you chose to add an enrollment URL for Kerberos authentication:

    1. The script prompts you to enter an enrollment URL:

       Please enter the Enrollment Server URL :

       Enter the enrollment URL using the following format:

       https://<CEG-server>:443/wstep/kerberos/services/<tenant-ID>/<CA-ID>

       Where:

       • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.

       • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.

       • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

       For example:

       https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1

    2. The script prompts you to specify the priority of the enrollment server:

       The URI for the enrollment server which has the lowest priority number as defined in the enrollment policy. If two enrollment servers have the same priority then

       a. The URI with the following authentication type is preferred in order:

       Kerberos, Anonymous, Username/Password cached in the vault or

       Client Auth Certificate cached in the vault, Username/Password or

       Client Auth Certificate.

       b. If all properties are equal then a URI is randomly selected.

        

       Please enter the Priority of this Enrollment URL [Default : 1]:

       If multiple enrollment servers are defined, then the priority determines which enrollment server is preferred. Enter the priority for the enrollment server.

    3. The script asks if the URL will be used for certificate renewal only:

       Will this URL be used for Renewal ONLY ? (y/n):

       • If the enrollment URL is for certificate renewal only, enter y.

       • If the enrollment URL is for certificate enrollment and renewal, enter n.

    4. The script displays information about the enrollment URL and asks if you want to continue:

       Enrollment Service : Entrust WSTEP

       Authentication Type : Kerberos

       Enrollment URL : https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1

       Priority : 1

       Modifiers :

       Continue with above settings? (y/n):

       • To continue and add the enrollment URL, enter y.

       • To go back and re-enter information about the enrollment URL, enter n.

15. To exit the script after updating the enrollment URLs:

    1. Keep entering P to return to a previous menu until you return to the main menu:

       Entrust Enrollment Service PowerShell

        

       Using this PowerShell script, Enrollments servers can be created, removed

       and Edited.

        

       Please select from the following options to continue :

       [N] New Service [E] Edit Service [Q] Quit [?] Help (default is "N"):
    2. Enter Q to exit the script.