NDES Configuration settings:

NDES configuration settings are stored in the registry. I cover some of the more commonly modified registry keys; for a complete listing of configuration settings please read the NDES Whitepaper. The base registry key location NDES reads is: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP All the registry values referenced below are set in this registry key.

Template Settings
Use these settings to customize the certificate templates used by NDES. SignatureTemplate (REG_SZ) EncryptionTemplate (REG_SZ) GeneralPurposeTemplate (REG_SZ) These three registry keys hold the LDAP name of the template that should be issued for each type of key that the SCEP client could possibly request. There are three types of keys that can be specificed. SignatureTemplate: The private key can only be used for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature, on the Request Handling tab. EncryptionTemplate: The private key can be used for encryption. In the certificate template configuration, this is denoted by the Purpose, Encryption, on the Request Handling tab. GeneralPurposeTemplate: The private key can be used for both encryption and for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature and encryption, on the Request Handlingtab. Here is a screen shot of a certificate template to show where the template name is that needs to be populated in the registry values. In the below figure it is IPSecIntermediateOffline (the default template used by NDES).

NOTE: If you decide to use a custom certificate template there are more requirements: The NDES application pool identity needs enroll permissions on the template; this is set on the Security tab when looking at the properties of the template. The template must be valid for computer and not user accounts. You can find out the template type by looking at the properties of the template and clicking on the Extensions tab. Then select the extension Certificate Template Information and you will see Subject type: Computer.

Template Subject Name should be set to Supply in the request. This can be seen by click on the Subject Name tab.

Now, lets continue to look at the NDES configuration settings.

Password Settings
Use these settings to configure some of the password behavior in NDES. Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP Value: PasswordValidity Type: REG_DWORD Data: Default 60 (decimal) PasswordValidity sets the amount of time (in minutes) for which the NDES admin-supplied password is valid. The default value is 60 minutes, but most admins change this value to something that accommodates the time it takes to communicate the password to the device owner. The device owner enters this password on the device in order to enroll for a certificate.

A good value might be 0x78h (120 decimal). This will give the owner of the device 2 hours to get through the iPhone configuration utility and set the challenge password. If the validity period expires, and the device owner has failed to obtain a certificate, then the SCEP Admin will need to generate a new challenge for the user. Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\PasswordMax Value: PasswordMax Type: REG_DWORD Data: Default 5 PasswordMax sets the number of passwords that the service will track once the NDES admin starts generating passwords. This means that the NDES Admin can get X unique passwords generated at one time. Once the number has been reached the NDES admin will not be able to generate any further passwords until the old ones have been utilized by a device or the password validity has expired. You can change the behavior of NDES to force the service to use only one password for all client certificate enrollments. This is used with the UseSinglePassword registry value added in the following hotfix: 959193 Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008 http://support.microsoft.com/kb/959193

System clocks verification Make sure that the system clocks of SCEP server, Communication Server and the Management Server are set to the correct time. 4. Modifying Policy Module properties for Certificate Authority a. On the computer where Certificate Authority is installed, open the Certification Authority management console. b. Click Policy Module tab, and then click Properties.Preparing Server Computer for Installation 2-5 c. Select Follow the settings in the certificate template, if applicable.

Otherwise, automatically issue the certificate. d. Click OK

1. 2. 3. 4. 5.

Open the Registry Editor using the "regedit" command. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword and set the UseSinglePassword value to "1". Restart IIS. Access the SCEP Server admin via http://<scep_server>/certsrv/mscep_admin/ to view the password.

Validar que el servidor cuenta con este update. http://support.microsoft.com/kb/2483564

To set up and configure the Network Device Enrollment Service

1. 2. 3. On the server where you want to install the Network Device Enrollment Service, open Server Manager, and click Add Roles to start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times. On the Select Role Services page, clear the Certification Authority check box, and then select the Network Device Enrollment Service check box. You are prompted to install IIS and Windows Activation Service. Click Add Required Role Services, and then click Next three times. On the Specify User Account page, click Select User, and type the user name and password for the account that the Network Device Enrollment Service will use to authorize certificate requests. Click OK, and then click Next. On the Specify CA page, if this computer does not host a CA, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, and then click Next. On the Specify Registry Authority Information page, type the name of the registration authority in the RA name box. Under Country/region,select the country/region you are in, and then click Next. On the Configure Cryptography page, accept the default values for the signature and encryption keys or configure your own values, and then clickNext. Review the summary of configuration options, and then click Install.

4. 5.

6.

7.

8. 9.

UseSinglePassword = 1 DisableRenewalSubjectNameMatch = 1 CA certificate manager approval = Disabled