Installing SCEP using Microsoft NDES

SCEP (Simple Certificate Enrollment Protocol) is a standard solution for admins wishing to deploy certificates to devices with little interaction and no manual uploading/downloading of cert files between systems. NDES (Network Device Enrollment Service) is Microsoft’s implementation of SCEP. NDES and SCEP are essentially 2 labels for the same service. This is really just my braindump from working with SCEP over the last few months.

Alot of this page is derived from the the Microsoft Whitepaper Microsoft SCEP Implementation.

To begin, you will need a few things.
1) A working MS Domain with healthy AD.

2) A Microsoft Certificate Authority.
You can setup either a Standalone or Enterprise CA. Since most of my work was with MS, this example is for an Enterprise CA.

3) A 2008 or 2012 Enterprise or DataCenter Server.
This is for the install of NDES. NDES will not install on a Standard Server. Also, Ndes can not be installed to the same server that holds a Certificate authority.

With those ready to go, here’s how to get NDES installed.

Setup NDES Accounts in AD
NDES needs 2 accounts on the Domain. You need an Admin account for installation and interaction with the GUI. You need a service account to run the service and request/enroll certificates.

1) Create NDES_Admin. Assign it to the Enterprise Admin Group in the Domain (this membership can be removed after installation). Assign it to the local Adminstrator Group on the NDES host.
2) Create NDES_ServiceAccount. Assign it to the IIS_IUSRS group on the NDES host.

Duplicate the Certificate Templates
In the Certificate Authority(CA) we need to create the Certificate templates that will be used by NDES.

  • Open the Certificate Authority MMC
  • On the left, expand the CA. Right click on the Templates Folder and select Manage. This will open the Template Mgmt folder.
  • Locate the Exchange Enrollment Agent (Offline Request), right click and Duplicate the template.
  • When prompted, select the server level. I used 2008 Enterprise on a 2008 host and 2012 on a 2012 host. Both worked fine, I don’t know the differences between the 2.
  • In the Template Dialogue, Make the name NDES Exchange Enrollment Agent (Offline Request)
  • In the Template Security Tab, Assign Permissions for the NDES_Admin Account and grant it Read and Enroll rights.
  • Click OK to save and exit this Template.
  • We need to do the same thing for CEP Encryption Template (Duplicate, name it NDES CEP Encryption, and assign NDES_Admin the Read and Enroll Rights.
  • Last, we need to do the same thing for the IPSEC (Offline Request), name it NDES IPSEC (Offline Request), assign NDES_Admin AND NDES_ServiceAccount the Read and Enroll Rights.
  • Close the Templates MMC

Publish The Certificates
Back at the CA, we need to publish the new Templates we just created into the CA for use.

  • Right click the Tempates folder in the CA.
  • Pick New then Certificate Template to Issue.
  • Select the 3 NDES… certificates we just created and click OK to publish.

Once done, the 3 NDES certs should appear in the list of usable certificate templates in the CA windows.

Assign Permissions on the CA
Next we need to add Read and Request permissions for the NDES_Service Account to the CA

  • From the left side panel in Certificate Authority MMC, right click the CA name, and select Properties
  • Click on the security tab.
  • Add NDES_Service Account and assign it Read and Request Certificate rights.
  • Hit ok and close it

Install NDES
Now we are done with the CA and certificate work, we can move on to the installation of NDES on the ndes host.

  • Log in to the NDES box using the NDES_Admin account created earlier.
  • Open Server Manager from the Start menu.
  • In the left pane of Server Manager, right-click Roles and select Add Roles from the menu.
  • Click Next on the Before You Begin screen in the Add Roles Wizard.
  • Select Active Directory Certificate Services on the Select Server Roles screen and click Next.
  • Click Next on the Introduction screen.
  • On the Select Role Services screen, clear Certification Authority and select Network Device Enrollment Service. As I mentioned previously, NDES can’t be installed on the same machine as a CA.
  • In the Add Roles Wizard dialog box, click Add Required Role Services to install the necessary IIS and Remote Server Administration Tool components.
  • On the Specify User Account screen click Select User. In the Windows Security dialog box, enter the username and password for the NDES_ServiceAccount and click Next.
  • Click Browse in the Specify CA for Network Device Enrollment Service dialog box.
  • In the Select Certification Authority dialog box, select the issuing CA, click OK and Next to continue.
  • On the Specify Registration Authority Information screen, modify the Country/Region field as necessary and click Next.
  • On the Configure Cryptography for Registration Authority screen, accept the default settings, which you can see in Figure 3, and click Next.
  • Click Next on the Web Server (IIS) introduction screen.
  • Accept the defaults on the Select Role Services screen by clicking Next.
  • Click Install on the Confirm Installation Selections screen.
  • Click Close on the Installation Results screen.

Modify the NDES Registry
Before we can request a password from NDES to start the certificate request process, we need to set some registry keys on the NDES server to point to our NDES IPsec (Offline Request) certificate, then restart IIS.

  • Open regedit from the Search programs and files box on the Start menu.
  • In the left pane of Registry Editor, navigate to the following registry key: HKLMSoftwareMicrosoftCryptographyMSCEP.
  • You’ll find three REG_SZ values: EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate. Set all three values to NDESIPSECIntermediateOffline, then close Registry Editor.
  • Type cmd into the Search programs and files box on the Start menu and click Ctrl+Shift+Enter to start the command prompt with administrative privileges.
  • Type the following two commands to restart IIS:
  • net stop w3svc net start w3svc

  • Close the command prompt.