On the server hosting the Certificate Enrollment Policy Web Service, the TLS certificate installed on Microsoft IIS is irrelevant to Certificate Enrollment Gateway. Instead, what matters is that the issuing certificate chain is trusted by all devices on the domain, along with any non-domain WSTEP client.

• If you are integrating Certificate Enrollment Gateway with an existing Windows domain, this domain already has trusted TLS certificates, and you can skip this section.
• If you are integrating a new Windows domain, follow the steps below to install the TLS certificate chain.

This section contains the following topics:

• Obtaining the CA certificates
• Installing the CA certificates in the Active Directory domain