Certificate handling with SCEP
Windows as SCEP server
Note:
For Windows Server 2012 and later versions, NDES (Network Device Enrollment Service) is integrated in the Certification Authority (CA). The described procedure is to be seen as an example and can vary depending on the version and environment.
Installing NDES
- Install the server role AD CS with the Network Device Enrolment Service feature .
- Set up a service account for NDES which must be authorized on the CA later on.
- Enter the information for the certificate from the Registration Authority (RA) to issue a signing certificate for this enrollment process.
- Define the key length.
The new virtual directories are displayed in the IIS console below the default website.
Configuring templates
The SCEP server uses templates for submission to the CA.
-
Set the LDAP name of the template in the registry:
[HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEP]
Default IPSecIntermediateOffline EncryptionTemplate <templatename>GeneralPurposeTemplate <templatename>SignatureTemplate <templatename> - Add the new template to the CA.
- Configure the use of a one-time password in the registry (validity period, maximum number).
The one-time password allows a client that supports SCEP/NDES to contact the SCEP server directly and request a certificate. The client connects to the Windows SCEP server with the URL http://
Configuring one-time password
Either
- disable passwords (option A): [HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEPEnforcePassword] set to 0
or
- define fixed password (option B): [HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEPUseSinglePassword]
Permissions for NDES service account
- Set the permission to full control.
Modify SCEP application pool defaults
- Set Load User Profile option from false to true.
Requesting one-time passwords
- Sign in to the SCEP Administrator website using your NDES service account:
http://
/certsrv/mscep_admin/ - Copy the challenge password to the configuration file scep.ini
Copied!
Failed!