On the server hosting the Certificate Enrollment Policy Web Service, the TLS certificate installed on Microsoft IIS is irrelevant to Certificate Enrollment Gateway. Instead, what matters is that the issuing certificate chain is trusted by all devices on the domain, along with any non-domain WSTEP client.

  • If you are integrating Certificate Enrollment Gateway with an existing Windows domain, this domain already has trusted TLS certificates, and you can skip this section.
  • If you are integrating a new Windows domain, follow the steps below to install the TLS certificate chain.

This section contains the following topics:

Obtaining the CA certificates

If you used TLS Bootstrapping feature when you deployed the CEG Service, the CA certificate chain will be a certcerts.p7b file, located in the directory where you exported the Certificate Enrollment Gateway configuration.

For CAs hosted by Entrust PKI as a Service, you should have obtain the CA certificates from the Entrust Certificate Services portal.

Copy this file from the CEG Service host to your machine.

Installing the CA certificates in the Active Directory domain

In the Active Directory Domain Controller, install all certificates in the CA certificate chain as trusted root certificates.

To install the CA certificates in the Active Directory Domain Controller

  1. Log in to the server hosting Active Directory.
  2. Open the Group Policy Management administrative tool. Select Start > Windows Administrative Tools > Group Policy Management.
    The Group Policy Management dialog box appears.
  3. In the tree view, expand the Domain Controller you will modify.
  4. Right-click Default Domain Policy > Edit.
    The Group Policy Management Editor dialog box appears.
  5. In the tree view, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
  6. Right-click Trusted Root Certification Authorities > Import.
  7. Select the Entrust Certificate Authority certificates or the CA certificates file you obtained earlier in Obtaining the CA certificates.