Skip to content

Upgrade the Auto-Enrollment Connector

This topic explains how to upgrade an existing Auto-Enrollment Connector (AEC) installation to AEC 2.0+. The upgrade preserves your existing configuration, including certificate authorities and policy mappings.

Upgrading multiple servers

If running multiple AEC servers, CyberArk recommends upgrading and testing the first server before continuing.

Enhancements in AEC 2.0

AEC 2.0 includes the following enhancements:

  • Support for the Microsoft Security Identifier (SID) certificate extension OID 1.3.6.1.4.1.311.25.2, which is included in user certificates when enabled by the msPKI-Enrollment-Flag setting in User certificate templates.
  • FQDN template support.
  • LDAP-compliant DN parsing, including embedded comma support.

  • Updates to these dependencies:

    • Apache log4net 2.0.8
    • jsrsasign 10.6.1
    • Lodash 2.4.2

Before you begin

Before you begin, ensure that you have:

  • Local Administrator and Domain Admin permissions on the AEC server.
  • Access to the latest version of AEC on the CyberArk Marketplace.
  • The ability to schedule a brief service interruption for certificate enrollment.

Step 1: Uninstall the current version of AEC

  1. In a command prompt, enter services.msc.

  2. In the Windows Services Manager, stop these services:

    • Autoenrollment Proxy
    • AutoenrollmentCOM

  3. Go to C:\ProgramData\HydrantID\AutoEnrollment and back up autoEnroll_config.json.

  4. In the Windows Start Menu, right-click Uninstall CyberArk Auto-Enrollment Connector and select Run as administrator.
  5. In the dialog that appears, click Yes.
  6. In the Windows Start Menu, confirm that the Auto-Enrollment Connector program group no longer appears.

Step 2: Install AEC

Install AEC directly to the servers on which it will run. Download the latest executable from the CyberArk Marketplace.

Installation directories

AEC installs to C:\Program Files\HydrantID\AutoEnrollment. Its logs and database are stored in C:\ProgramData\HydrantID\AutoEnrollment.

Enabling high availability

For high availability, install AEC on multiple servers—for redundancy, preferably in different availability zones or datacenters.

AEC servers don't share a database, so you'll need to add the same certificate template mappings to both servers. Use ADSI Edit to verify the correct templates under CN=Configuration > CN=Services > CN=Public Key Services > CN=Enrollment Services.

In Active Directory, each AEC server and issuing CA pair registers as a separate enrollment service endpoint. For example, two AEC servers mapped to two issuing CAs result in four endpoints (and four ADSI Edit entries).

  1. Sign in to the installation server using an account with Local Administrator and Domain Admin permissions.
  2. Upload the AEC executable to the server.
  3. Right-click the AEC executable and select Run as administrator.
  4. In the User Account Control dialog, click Yes.
  5. Accept the EULA and click Install.
  6. In the installation completion dialog, click Close.

Step 3: Test AEC

  1. In the Windows Start Menu, click Autoenrollment Configuration.
  2. In AEC, in Certificate Authorities, confirm that your templates and CAs appear.
  3. From each upgraded server, test certificate issuance.