Skip to content

Upgrade the Auto-Enrollment Connector

This topic explains how to upgrade an existing Auto-Enrollment Connector (AEC) installation to AEC 2.0+. The upgrade preserves your existing configuration, including certificate authorities and policy mappings.

Upgrading multiple servers

If running multiple AEC servers, CyberArk recommends upgrading and testing the first server before continuing.

Enhancements in AEC 2.0

AEC 2.0 includes the following enhancements:

  • Support for the Microsoft Security Identifier (SID) certificate extension OID 1.3.6.1.4.1.311.25.2, which is included in user certificates when enabled by the msPKI-Enrollment-Flag setting in User certificate templates.
  • FQDN template support.
  • LDAP-compliant DN parsing, including embedded comma support.

  • Updates to these dependencies:

    • Apache log4net 2.0.8
    • jsrsasign 10.6.1
    • Lodash 2.4.2

Before you begin

Before you begin, ensure that you have:

  • Local Administrator and Domain Admin permissions on the AEC server.
  • Access to the latest version of AEC on the CyberArk Marketplace.
  • The ability to schedule a brief service interruption for certificate enrollment.

Step 1: Uninstall the current version of AEC

  1. In a command prompt, enter services.msc.

  2. In the Windows Services Manager, stop these services:

    • Autoenrollment Proxy
    • AutoenrollmentCOM

  3. Go to C:\ProgramData\HydrantID\AutoEnrollment and back up autoEnroll_config.json.

  4. In the Windows Start Menu, right-click Uninstall CyberArk Auto-Enrollment Connector and select Run as administrator.
  5. In the dialog that appears, click Yes.
  6. In the Windows Start Menu, confirm that the Auto-Enrollment Connector program group no longer appears.

Step 2: Install AEC

Install AEC directly to the server(s) on which it will run. Download the latest executable from the CyberArk Marketplace.

Installation directories

AEC installs to C:\Program Files\HydrantID\AutoEnrollment. Its logs and database are stored in C:\ProgramData\HydrantID\AutoEnrollment.

  1. Sign in to the installation server using an account with Local Administrator and Domain Admin permissions.
  2. Upload the AEC executable to the server.
  3. Right-click the AEC executable and select Run as administrator.
  4. In the User Account Control dialog, click Yes.
  5. Accept the EULA and click Install.
  6. In the installation completion dialog, click Close.

Step 3: Test AEC

  1. In the Windows Start Menu, click Autoenrollment Configuration.
  2. In AEC, in Certificate Authorities, confirm that your templates and CAs appear.
  3. From each upgraded server, test certificate issuance.