You must create an enrollment service for each CA that will issue certificates to the WSTEP endpoints. Entrust provides an InstallEnrollmentService.ps1 PowerShell script that allows you to create, edit, and remove enrollment services in Active Directory.

To run the script, you must use a Windows user account with Domain Admin and Enterprise Admin permissions.

An enrollment service requires a DER-encoded CA certificate from the issuing CA. The script will prompt you to provide the CA certificate when creating an enrollment service.

To created an enrollment service with the InstallEnrollmentService.ps1 script

1. Log in to a Windows server that is joined to the Active Directory domain. It is recommended that you run the PowerShell script on a different server than the domain controller.
2. From Entrust TrustedCare, download the PowerShell scripts for Certificate Enrollment Gateway.
3. Extract the PowerShell scripts to a directory on the server.
4. PowerShell scripts downloaded from the Internet may be blocked from running. To unblock a PowerShell script:
   1. Right-click the PowerShell script > Properties.
      A Properties dialog box appears.
   2. Under the General tab, click Unblock.
5. Open an elevated PowerShell window. Select Start > Windows PowerShell, then right-click Windows PowerShell > Run as administrator.
6. Navigate to the directory where you extracted the PowerShell scripts.

7. Enter the following command to run the InstallEnrollmentService.ps1 script:

   .\InstallEnrollmentService.ps1

   The script validates the pre-requisites and installs any missing Windows packages or features. For example:

   The PowerShell script was tested on specific versions of PowerShell. When validating the prerequisites, the PowerShell version my be listed as Unverified, an "Unverified" version of PowerShell indicates that the script was not tested on that version of PowerShell. You can still use the script on an "Unverified" version of PowerShell.

   Validating pre-requisites:

   Script-Mode: Windows

   Script Version: 1.5.1.19

   - Member of Domain: Verified

   - Domain Admins privileges: Verified

   - Enterprise Admins privileges: Verified

   - Windows Version: Verified (Microsoft Windows NT 10.0.17763.0)

   - PowerShell Version: Verified (5.1.17763.2931)

    

   ------------------------------------------------------------

   Validating ldifde is installed.

    

   ldifde.exe is installed.

    

   Validating Windows Feature RSAT-ADCS-Mgmt is installed

   Installing RSAT-ADCS-Mgmt

8. The script prompts you to select a management option:

   Entrust Enrollment Service PowerShell

    

   Using this PowerShell script, Enrollments servers can be created, removed

   and Edited.

    

   Please select from the following options to continue :

   [N] New Service [E] Edit Service [Q] Quit [?] Help (default is "N"):

   Enter N to create a new enrollment service.

9. The script prompts you to provide the distinguished name (DN) of the configuration context.

   Configuration Context DN

   Format : DC=Example,DC=com

   Configuration Context For Enrollment Service [Default: DC=example,DC=com]:

   Enter the DN of the configuration context for Active Directory. The default value is the configuration context of the Active Directory forest.

10. The script prompts you to provide the host name for the enrollment service:

    Hostname for Enrollment Service

    Enrollment Service Hostname [Default: mmwin2019-2.example-ad.local]:

    Enter the fully qualified domain name (FQDN) for the enrollment service. The default host name is the FQDN of the local server.

11. The script prompts you to provide a name for the enrollment service.

    Enrollment Service Name is required to continue configuration

    Enrollment Service Name [Default: Entrust WSTEP]:

    Enter a name for the enrollment service. When entering a name:

    • The name must be unique in the Active Directory forest.
    • The name must start with an alphanumeric character.
    • The name must contain only alphanumeric characters, spaces, hyphens, and underscores.

12. The script prompts you to provide the CA certificate from the issuing Certificate Authority (CA).

    A der formatted certificate is required from the issuing CA.

    Please use the full pathname and filename.

    Example : C:\Users\admin\Downloads\cacert.der

    Provide the full path and filename for the issuing CA certificate to proceed:

    Enter the full path and file name of the certificate file. The CA certificate must be DER-encoded.

13. The script parses the file contents, displays the certificate settings, then asks if you want to use the certificate. For example:

    Parsing Issuing CA cert for Subject DN.

    Issuing CA Subject DN : CN=Subordinate, OU=pki, O=Entrust

    Issuing CA Certificate Effective Date : 5/25/2021 2:52:36 PM

    Issuing CA Certificate Expiry Date : 5/23/2031 2:52:36 PM

    Use this CA Certificate? (y/n): y
    • To use the selected CA certificate and continue, enter y.
    • To go back and provide a different CA certificate, enter n.

14. The script prompts you to select the initial Certificate Template to be associated with the enrollment service:

    Please select the initial Certificate Template to be associated

    with the Enrollment Service.

    The 'Template Name' cannot contain any spaces.

    Certificate Template [Default: User]:

    Enter the name of an existing Certificate Template to use as the initial Certificate Template for the enrollment service. The name cannot contain spaces.

15. The script asks if you want to continue with the selected Certificate Template.

    Continue with User ? (y/n):
    • To continue with the selected initial Certificate Template for the enrollment service, enter y.
    • To go back and change the initial Certificate Template for the enrollment service, enter n.

16. The script displays the information you provided for the enrollment service and asks if you want to continue. For example:

    Configuration Context DN : DC=example,DC=com

    Forest : example.com

    Local hostname as DNS Hostname : cegaddc.example.com

    Enrollment Service Name : Entrust WSTEP

    Issuing CA Der formatted Certificate : C:\EntrustPSScripts\ca.cer

    Issuing CA : CN=Subordinate, OU=pki, O=Entrust

    Certificate Template : User

     

    Continue with the above settings? (y/n):
    • To continue with the settings and add the enrollment service to Active Directory, enter y.
    • To go back and change all the settings for the enrollment service, enter n.

17. The script prompts you to provide the name of a new access group:

    An Access group will be created for the Enrollment Service

     

    By default, Active Directory provides the following domain groups for users, computers, and domain controllers: Domain Users, Domain Computers, and Domain Controllers. Creating a custom domain group for your Entrust WSTEP clients ensures that only members of the custom domain group (your Windows-native clients) can request certificates.

     

    Configuring Access Group for example.com

     

     

    Access Group Name [Default: Entrust WSTEP Access]:

    By default, Active Directory provides the following domain groups for users, computers, and domain controllers: Domain Users, Domain Computers, and Domain Controllers. Creating a custom access group for your Windows-native clients ensures that only members of the custom access group (your Windows-native clients) can request certificates through the enrollment service.

    Enter a name for the new access group (by default, Entrust WSTEP Access).

18. The script asks if you want to continue adding the new access group:

    Continue adding Access Group : Entrust WSTEP Access ? (y/n):

    • To add the access group to the forest and continue, enter y.
      The script waits 20 seconds to allow the group to propogate in Active Directory.

      Pausing for 20 seconds to allow for the group to propagate

      19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

      Resuming

       

      Adding the Access group : Entrust WSTEP Access to the Enrollment Service : Entrust WSTEP

      Access Group example.com\Entrust WSTEP Access added to Enrollment Service : Entrust WSTEP
    • To go back and enter and enter a new access group name, enter n.
19. If the current domain is a top-level domain with subdomains, the script will ask if you want to set up an access group for enabling the enrollment service in one of the subdomains.
    • To add the access group to the subdomain, enter y.
    • To go back and enter and enter a new access group name, enter n.

20. The script asks if you want to configure enrollment server URLs using the script:

    Continue script to configure Enrollment Server URL(s) (y/n):
    • To continue and configure enrollment server URLs using the script, enter y.
      

      The script displays a list of enrollment servers for the configured enrollment service. By default, the list should be NULL (no enrollment servers for the enrollment service). For example:

      Enrollment Service Name : Entrust WSTEP

       

      NULL set of Enrollment servers.
    • To exit the script and configure the enrollment server URLs using the certutil utility later, enter n.

21. If you chose to configure enrollment server URLs using the script, the script asks if you want to configure an enrollment URL for user name and password authentication:

    Configure UserName Enrollment URL ? (y/n):
    • To configure an enrollment URL for user name and password authentication, enter y.
    • To skip configuring an enrollment URL for user name and password authentication, enter n.
22. If you chose to configure an enrollment URL for user name and password authentication:

    1. The script prompts you to enter an enrollment URL:

       Please enter the Enrollment Server URL :

       Enter the enrollment URL using the following format:

       https://<CEG-server>:443/wstep/usertoken/services/<tenant-ID>/<CA-ID>

       Where:

       • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
       • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
       • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

       For example:

       https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1

    2. The script prompts you to specify the priority of the enrollment server:

       The URI for the enrollment server which has the lowest priority number as defined in the enrollment policy. If two enrollment servers have the same priority then

       a. The URI with the following authentication type is preferred in order:

       Kerberos, Anonymous, Username/Password cached in the vault or

       Client Auth Certificate cached in the vault, Username/Password or

       Client Auth Certificate.

       b. If all properties are equal then a URI is randomly selected.

        

       Please enter the Priority of this Enrollment URL [Default : 1]:

       If multiple enrollment servers are defined, then the priority determines which enrollment server is preferred. Enter the priority for the enrollment server.

    3. The script asks if the URL will be used for certificate renewal only:

       Will this URL be used for Renewal ONLY ? (y/n):

       • If the enrollment URL is for certificate renewal only, enter y.

       • If the enrollment URL is for certificate enrollment and renewal, enter n.

23. If you chose to configure enrollment server URLs using the script, the script asks if you want to configure an enrollment URL for Kerberos (Windows integrated) authentication:

    Configure Kerberos Enrollment URL ? (y/n):
    • To configure an enrollment URL for Kerberos authentication, enter y.
    • To skip configuring an enrollment URL for Kerberos authentication, enter n.
24. If you chose to configure an enrollment URL for Kerberos authentication:

    1. The script prompts you to enter an enrollment URL:

       Please enter the Enrollment Server URL :

       Enter the enrollment URL using the following format:

       https://<CEG-server>:443/wstep/kerberos/services/<tenant-ID>/<CA-ID>

       Where:

       • <CEG-server> is the hostname or IP address of the Certificate Enrollment Gateway server.
       • <tenant-ID> is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.
       • <CA-ID> is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.

       For example:

       https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1

    2. The script prompts you to specify the priority of the enrollment server:

       The URI for the enrollment server which has the lowest priority number as defined in the enrollment policy. If two enrollment servers have the same priority then

       a. The URI with the following authentication type is preferred in order:

       Kerberos, Anonymous, Username/Password cached in the vault or

       Client Auth Certificate cached in the vault, Username/Password or

       Client Auth Certificate.

       b. If all properties are equal then a URI is randomly selected.

        

       Please enter the Priority of this Enrollment URL [Default : 1]:

       If multiple enrollment servers are defined, then the priority determines which enrollment server is preferred. Enter the priority for the enrollment server.

    3. The script asks if the URL will be used for certificate renewal only:

       Will this URL be used for Renewal ONLY ? (y/n):

       • If the enrollment URL is for certificate renewal only, enter y.

       • If the enrollment URL is for certificate enrollment and renewal, enter n.

25. The main menu reappears:

    Entrust Enrollment Service PowerShell

     

    Using this PowerShell script, Enrollments servers can be created, removed

    and Edited.

     

    Please select from the following options to continue :

    [N] New Service [E] Edit Service [Q] Quit [?] Help (default is "N"):

    To exit the script, enter Q.