Entrust PKI Hub 1.0 - Installation and Administration Guide [PDF]

Entrust provides an InstallEnrollmentService.ps1 PowerShell script that allows you to create, edit, and remove enrollment services in Active Directory. When editing an enrollment service in Active Directory, you can update the security groups (access groups) assigned to the enrollment service. When updating the security groups assigned to an enrollment service, you can:

List all the security groups that are assigned to the enrollment service.
Add a security group to the enrollment service.
Remove a security group from to the enrollment service.

To run the script, you must use a Windows user account with Domain Admin and Enterprise Admin permissions.

To update the security groups for an enrollment service using the InstallEnrollmentService.ps1 script

Open an elevated PowerShell window. Select Start > Windows PowerShell, then right-click Windows PowerShell > Run as administrator.
Navigate to the directory where you extracted the PowerShell scripts.
Enter the following command to run the InstallEnrollmentService.ps1 script:

.\InstallEnrollmentService.ps1

The script validates the pre-requisites and installs any missing Windows packages or features. For example:
The PowerShell script was tested on specific versions of PowerShell. When validating the prerequisites, the PowerShell version my be listed as Unverified, an "Unverified" version of PowerShell indicates that the script was not tested on that version of PowerShell. You can still use the script on an "Unverified" version of PowerShell.

Validating pre-requisites:

Script-Mode: Windows

Script Version: 1.5.1.19

- Member of Domain: Verified

- Domain Admins privileges: Verified

- Enterprise Admins privileges: Verified

- Windows Version: Verified (Microsoft Windows NT 10.0.17763.0)

- PowerShell Version: Verified (5.1.17763.2931)

------------------------------------------------------------

Validating ldifde is installed.

ldifde.exe is installed.

Validating Windows Feature RSAT-ADCS-Mgmt is installed

Installing RSAT-ADCS-Mgmt
The script prompts you to select a management option:

Entrust Enrollment Service PowerShell

Using this PowerShell script, Enrollments servers can be created, removed

and Edited.

Please select from the following options to continue :

[N] New Service [E] Edit Service [Q] Quit [?] Help (default is "N"):

Enter E to edit an existing enrollment service.
If more than one enrollment service is defined in Active Directory, the script displays the list of enrollment services and asks you to select one of the enrollment services:

Select from the following List of defined Enrollment Services :

Index Enrollment Service Name

----- -----------------------

1 CEG WSTEP

2 Entrust WSTEP

Please select the Index to select an Enrollment Service. 0 to quit.:

Enter the number associated with the enrollment service you want to edit. If only one enrollment service exists, that service is automatically selected by the script.
The script displays the currently-selected enrollment service, and prompts you to choose from a list of options:

Currently Selected Enrollment Service : Entrust WSTEP

Choose from the following Options:

[E] Edit [R] Remove [P] Previous [?] Help (default is "E"):

Enter E to edit the selected service.
The script prompts you to select an edit option:

Updating Enrollment Service : Entrust WSTEP

Menu to select between:

Updating the Enrollment Service URL(s)

Updating the Security Groups for the Enrollment Service.

Choose from the following Options:

[U] Update URL(s) [S] Update Security Group(s) [P] Previous [?] Help (default is "U"):

Enter S to update the security groups.
The script asks you to select an update option:

Updating Security Groups for Enrollment Service: Entrust WSTEP

Choose from the following Options:

[A] Add Security Group(s) [R] Remove Security Group(s) [L] List Security Group(s) [P] Previous [?] Help

(default is "L"):
- To list all security groups for the enrollment service, enter L.
- To remove a security group from the enrollment service, enter D.
- To add a security group to the enrollment service, enter A.
If you chose to list the security groups for the enrollment service, the script displays a list of security groups assigned to the enrollment service. For example:

Index SecurityGroup Permission

----- ------------- ----------

1 NT AUTHORITY\Authenticated Users Allow

2 NT AUTHORITY\SYSTEM Allow

3 EXAMPLE-AD\Domain Admins Allow

4 EXAMPLE-AD\Entrust WSTEP Access Allow

5 EXAMPLE-AD\Enterprise Admins Allow

6 EXAMPLE-AD\Domain Admins Allow
If you chose to remove a security group from the enrollment service:
1. The script displays a list of security groups assigned to the enrollment service and asks you to select which security group to remove:
  
  Index SecurityGroup Permission
  
  ----- ------------- ----------
  
  1 NT AUTHORITY\Authenticated Users Allow
  
  2 NT AUTHORITY\SYSTEM Allow
  
  3 EXAMPLE-AD\Domain Admins Allow
  
  4 EXAMPLE-AD\Entrust WSTEP Access Allow
  
  5 EXAMPLE-AD\Enterprise Admins Allow
  
  6 EXAMPLE-AD\Domain Admins Allow
  
  Select the index of the Security Group to be removed. 0 to quit. :
  
  Enter the index number associated with the security group you want to remove from the enrollment service.
2. The script asks you to confirm the removal of security group. For example:
  
  Removing Security Group : EXAMPLE-AD\Domain Admins
  
  Are you sure you want to remove the Security Group (y/n)?:
  - To confirm that you want remove the security group from the enrollment service, enter y.
  - To cancel the removal, enter n.
If you chose to add a security group to the enrollment service:
1. The script displays information about how to enter the name of the security group, then asks you to enter the security group you want to add to the enrollment service:
  
  The Security group must exist before this script can add to the Enrollment Service.
  
  Enrollment service to be modified : Entrust WSTEP
  
  For a Security Group, the following options are supported :
  
  1) domain\group
  
  2) domain.com\group
  
  3) group@domain
  
  4) group@domain.com
  
  Security Groups must be:
  
  1) GroupCategory must be Security
  
  2) objectClass must be type group
  
  Enter security Group. 0 to quit.:
  
  Enter the name of the security group you want to add to the enrollment service, or enter 0 to go back without adding a security group.
  The security group must already exist in Active Directory. In Active Directory, the GroupCategory of the group must be Security, and the objectClass of the group must be group.
  You must enter the name of the group using one of the following formats:
  - <domain>\<group>
  - <fqdn>\<group>
  - <group>@<domain>
  - <group>@<fqdn>
  Where:
  - <domain> is the Active Directory domain where the security group is located.
  - <fqdn> is the fully-qualified domain name of the Active Directory forest where the security group is located.
  - <group> is the name of the security group.
  Examples:
  
  EXAMPLE\Example Group
  
  EXAMPLE.COM\Example Group
  
  Example Group@EXAMPLE
  
  Example Group@EXAMPLE.COM
2. The script adds the security group to the enrollment service. For example:
  
  Adding the Access group : EXAMPLE-AD\Domain Users to the Enrollment Service : Entrust WSTEP
  
  Access Group EXAMPLE-AD\Domain Users added to Enrollment Service : Entrust WSTEP
To exit the script after updating the security groups assigned to the enrollment service:
1. Keep entering P to return to a previous menu until you return to the main menu:
  
  Entrust Enrollment Service PowerShell
  
  Using this PowerShell script, Enrollments servers can be created, removed
  
  and Edited.
  
  Please select from the following options to continue :
  
  [N] New Service [E] Edit Service [Q] Quit [?] Help (default is "N"):
2. Enter Q to exit the script.