On the server hosting the Certificate Enrollment Policy Web Service, the TLS certificate installed on Microsoft IIS is irrelevant to Certificate Enrollment Gateway. Instead, what matters is that the issuing certificate chain is trusted by all devices on the domain, along with any non-domain WSTEP client.
- If you are integrating Certificate Enrollment Gateway with an existing Windows domain, this domain already has trusted TLS certificates, and you can skip this section.
- If you are integrating a new Windows domain, In the Active Directory Domain Controller, install all certificates in the CA certificate chain as trusted root certificates. Follow the steps below to install the TLS certificate chain.
For CAs hosted by Entrust PKI as a Service, you should have obtain the CA certificates from the Entrust Certificate Services portal.
To install the CA certificates in the Active Directory Domain Controller
- Log in to the server hosting Active Directory.
- Open the Group Policy Management administrative tool. Select Start > Windows Administrative Tools > Group Policy Management.
The Group Policy Management dialog box appears.
- In the tree view, expand the Domain Controller you will modify.
- Right-click Default Domain Policy > Edit.
The Group Policy Management Editor dialog box appears.
- In the tree view, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
- Right-click Trusted Root Certification Authorities > Import.
- Select the Entrust Certificate Authority certificates or the CA certificates file you obtained earlier in Obtaining the CA certificates.