In a WSTEP integration architecture, a Windows enrollment client can connect to a Domain Controller through the Certificate Enrollment Policy Web Service and request certificates from multiple Certification Authorities (CAs).
The following topics describe the components in the WSTEP integration architecture:
Certification Authority
A Certification Authority (CA) issues certificates to enrollment clients. Entrust CA Gateway can support multiple CAs, called Managed CAs. Each enrollment service object in the Domain Controller will connect to a single Certificate Enrollment Gateway instance and request a certificate from a single CA. To request certificates from multiple CAs, multiple enrollment services must be added to the Domain Controller.
Entrust CA Gateway
Entrust CA Gateway enables full certificate lifecycle management and operational management across all your Entrust-supported Certification Authorities (CAs). Each Entrust CA Gateway client can access one or several CAs. Certificate Enrollment Gateway will send certificate requests to Entrust CA Gateway. Entrust CA Gateway will forward the request to the intended Managed CA, and send the generated certificate back to Certificate Enrollment Gateway.
Entrust Certificate Enrollment Gateway
Each Entrust Certificate Enrollment Gateway instance can connect to multiple Entrust CA Gateway instances, granting access to one or more Certificate Authorities (CAs). Each enrollment service object in the Domain Controller will connect to a single Certificate Enrollment Gateway instance and request a certificate from a single CA. To request certificates from multiple CAs, multiple enrollment services must be added to the Domain Controller.
Cross-forest trust
For WSTEP enrollment, the Domain Controller can use Kerberos authentication to authenticate Windows enrollment clients. Cross-forest trust is a Windows Server feature that allows multiple Active Directory forests to trust each other. With cross-forest trust, a Domain Controller for one forest can use Kerberos V5 LDAP referrals to locate and authenticate enrollment clients that exist in a different forest. For more information about referrals, see the Microsoft documentation.
Domain Controller
A Domain Controller is a server computer hosting Active Directory Domain Services that is responsible for allowing host access to domain resources. The Domain Controller authenticates users, stores user account information, and enforces security policy for a domain.
For WSTEP enrollment, a Domain Controller requires the following objects:
- A certificate enrollment service for each Certification Authority (CA) that will issue certificates to enrollment clients. Each enrollment service will connect to a single CEG Service instance.
- For cross-forest deployments, a crossRef object for each cross-forest domain you must support.
Certificate Enrollment Policy Web Service
The Certificate Enrollment Policy Web Service allows enrollment clients to retrieve certificate enrollment policies from a Certification Authority (CA) when the clients are not permitted to access the Domain Controller. After receiving policy information from the Certificate Enrollment Policy Web Service, enrollment clients can then request a certificate from a certificate enrollment service.
The Windows server hosting the Certificate Enrollment Policy Web Service can be the Domain Controller or any other server in the domain. It is recommended that you install and configure the Certificate Enrollment Policy Web Service on a different server than the Domain Controller. The Certificate Enrollment Policy Web Service must be in same forest as the Domain Controller hosting the certificate templates and enrollment services.
Enrollment clients
For WSTEP enrollment, an enrollment client is a Windows user or a machine that requires a certificate. Enrollment clients are either in a Windows Domain or connected to a Windows Domain. With cross-forest trust (see Cross-forest trust), enrollment clients from one forest can request a certificate from a Domain Controller in another forest.