Migrating a WSTEP on-prem enrollment workflow

See below for migrating an on-premises WSTEP enrollment workflow to PKIaaS.

• Creating the new WSTEP enrollment workflow
• Cleaning up the Windows domain after migrating WSTEP to PKIaaS
• Cleaning up the appliance after migrating WSTEP to PKIaaS

Creating the new WSTEP enrollment workflow

Create a new PKIaaS enrollment workflow as explained in Automating WSTEP enrollment. See below for specific considerations on each section.

1. When Planning your WSTEP deployment, determine the required number of Agents based on your current deployment.
2. When evaluating the WSTEP integration requirements, determine the networking requirements based on your current deployment. Make any necessary adjustment to the DNS server and the firewall rules.
3. You can skip section Configuring an issuing CA for WSTEP as WSTEP is already configured for your on-premises deployment.
4. When Preparing the Active Directory forest for WSTEP:
   • Repeat Adding Active Directory nodes for each root Active Directory in every Microsoft Active Directory forest. It is recommended to create a new service account for the PKIaaS WSTEP enrollment workflow to allow the existing on-premises WSTEP enrollment workflow to continue functioning until decommissioned.
   • You can skip Installing the default set of certificate templates, as the templates should already exist for each Microsoft Active Directory forest.
   • Repeat Setting up LDAPS on domain controllers across the entire Microsoft Active Directory forest. In contrast, the on-premises WSTEP enrollment workflow requires LDAPS TLS certificates to be configured only on the root Active Directory domain controllers.
5. When Configuring WSTEP automation in PKIaaS, complete all the steps. When Preparing the Active Directory forest for WSTEP, ensure the selected certificate authority matches the one used for the on-premises WSTEP enrollment workflow.
6. When Enabling WSTEP for users and devices, do not reuse the Group Policy Object (GPO) of the on-premises WSTEP enrollment workflow. Complete the following steps in order to allow rolling back the process, if needed.
   1. Create a new GPO.
   2. Apply the GPO to a single test user.
   3. Complete the migration testing.
   4. Apply the GPO across the entire forest.
   5. Unlink the existing GPO for the on-premises WSTEP enrollment workflow.

⚠ It is recommended to keep the on-premises WSTEP enrollment workflow running until the PKIaaS WSTEP enrollment workflow is fully deployed and integrated within the Microsoft Active Directory forest.

Cleaning up the Windows domain after migrating WSTEP to PKIaaS

Perform the following steps in your Windows domain to complete the migration.

To clean up the Windows domain after migration:

1. Remove all Group Policy Objects (GPOs) for the on-premises WSTEP enrollment workflow.
2. Run the gpupdate /force command to force a group policy update.
3. In the root domains of the Microsoft Active Directory forests, delete the WSTEP Service account for the on-premises WSTEP enrollment workflow.
4. Turn off the Microsoft servers with the Certificate Enrollment Policy (CEP) service. If these are virtual machines, you can delete them.
5. Open the ADSI Edit console and remove the Enrollment Service for the on-premises WSTEP enrollment workflow.

Cleaning up the appliance after migrating WSTEP to PKIaaS

The required cleanup operations on the appliance vary depending on the following situations.

• The on-premises Entrust enrollment workflow runs other protocols like ACME, MDM, Intune, or SCEP.
• The appliance cluster hosts other solutions like Certificate Hub or CA Gateway.

See the table below for the required cleanup actions on each appliance cluster.