Migrating a WSTEP on-prem gateway to PKIaaS
To configure the migration from a WSTEP on-premises Enrollment Gateway to a PKIaaS gateway, follow the steps under Automating WSTEP enrollment. See below for specific considerations on each section.
- When Planning your WSTEP deployment, determine the required number of Agents based on your current deployment.
- When evaluating the WSTEP integration requirements, determine the networking requirements based on your current deployment. Make any necessary adjustment to the DNS server and the firewall rules.
- You can skip section Configuring an issuing CA for WSTEP as WSTEP is already configured for your on-premises deployment.
- When Preparing the Active Directory forest for WSTEP:
- Repeat Adding Active Directory nodes for each root Active Directory in every Microsoft Active Directory forest. It is recommended to create a new service account for the PKIaaS WSTEP gateway to allow the existing on-premises WSTEP Enrollment Gateway to continue functioning until decommissioned.
- You can skip Installing the default set of certificate templates, as the templates should already exist for each Microsoft Active Directory forest.
- Repeat Setting up LDAPS on domain controllers across the entire Microsoft Active Directory forest. In contrast, the on-premises WSTEP Enrollment Gateway requires LDAPS TLS certificates to be configured only on the root Active Directory domain controllers.
- When Configuring WSTEP automation in PKIaaS, complete all the steps. When Preparing the Active Directory forest for WSTEP, ensure the selected certificate authority matches the one used for the on-premises WSTEP Enrollment Gateway.
- When Enabling WSTEP for users and devices, do not reuse the Group Policy Object (GPO) of the on-premises WSTEP Enrollment Gateway. Complete the following steps in order to allow rolling back the process, if needed.
- Create a new GPO.
- Apply the GPO to a single test user.
- Complete the migration testing.
- Apply the GPO across the entire forest.
- Unlink the existing GPO for the on-premises WSTEP Enrollment Gateway.
⚠ It is recommended to keep the on-premises WSTEP Enrollment Gateway running until the PKIaaS WSTEP gateway is fully deployed and integrated within the Microsoft Active Directory forest.
When completing these configuration steps, perform the following cleanup steps.
- Cleaning up the Windows domain after migrating WSTEP to PKIaaS
- Cleaning up the appliance after migrating WSTEP to PKIaaS
Cleaning up the Windows domain after migrating WSTEP to PKIaaS
Perform the following steps in your Windows domain to complete the migration.
To clean up the Windows domain after migration:
- Remove all Group Policy Objects (GPOs) for the on-premises WSTEP Enrollment Gateway
- Run the
gpupdate /forcecommand to force a group policy update. - In the root domains of the Microsoft Active Directory forests, delete the WSTEP Service account for the on-premises WSTEP Enrollment Gateway.
- Turn off the Microsoft servers with the Certificate Enrollment Policy (CEP) service. If these are virtual machines, you can delete them.
- Open the ADSI Edit console and remove the Enrollment Service for the on-premises WSTEP Enrollment Gateway.
Cleaning up the appliance after migrating WSTEP to PKIaaS
The required cleanup operations on the appliance vary depending on the following situations.
- The on-premises Entrust Enrollment Gateway runs other enrollment protocols like ACME, MDM, Intune, or SCEP.
- The appliance cluster hosts other solutions like Certificate Hub or CA Gateway.
See the table below for the required cleanup actions on each appliance cluster.
| Enrollment protocols | Other solutions | Cleanup solutions |
|---|---|---|
| WSTEP | ✔ | Run the sudo kubectl delete namespace ceg command to delete the ceg namespace from the appliance. This operation will keep the configuration and the license in case you need to redeploy. |
| WSTEP | ❌ | You can shut down or delete the nodes of the appliance cluster. |
| WSTEP and other protocols | ✔ | Do nothing. |
| WSTEP and other protocols | ❌ | Do nothing. |