NDES operates as an Internet Server Application Programming Interface (ISAPI) filter on Internet Information Services (IIS) that performs the following functions:

• Generates and provides one-time enrollment passwords to administrators.
  
• Receives and processes SCEP enrollment requests on behalf of software running on network devices.
  
• Retrieves pending requests from the CA.
  

This feature applies to organizations that have public key infrastructures (PKIs) with one or more Windows Server® 2008–based CAs and that want to enhance the security of communications by using Internet Protocol security (IPsec) with network devices such as routers and switches.

Adding support for NDES can significantly enhance the flexibility and scalability of an organization's PKI; therefore, this feature should interest PKI architects, planners, and administrators.

Organizations and professionals interested in NDES may want to know more about the SCEP specifications on which it is based.

SCEP was developed by Cisco Systems, Inc. as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs.

In Windows Server 2003, Microsoft® SCEP (MSCEP) was a Windows Server 2003 Resource Kit add-on that had to be installed on the same computer as the CA. In Windows Server 2008, MSCEP support has been renamed NDES and is part of the operating system; NDES can be installed on a different computer from the CA.

The NDES extension to IIS uses the registry to store configuration settings. All settings are stored under one registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP

The following table defines the registry keys that are used to configure MSCEP:

Setting name	Optional Yes/No	Default value	Possible values
Refresh	No	7	Number of days that pending requests are kept in the NDES database.
EnforcePassword	No	1	Defines whether passwords are required for enrollment requests. The value 1 means NDES requires a password for enrollment requests. The value 0 (zero) means passwords are not required.
PasswordMax	No	5	Maximum number of available passwords that can be cached. Note On previous versions the default was 1,000.
PasswordValidity	No	60	Number of minutes a password is valid.
PasswordVDir	Yes		The name of the virtual directory that can be used for password requests. If set, NDES accepts password requests only from the defined virtual directory. If the value is empty or not configured, NDES accepts password requests from any virtual directory.
CacheRequest	No	20	Number of minutes that issued certificates are kept in the SCEP database.
CAType	No	Based on setup	Identifies the type of CA that NDES is linked to. The value 1 means it is an enterprise CA; the value 0 means it is a stand-alone CA.
SigningTemplate	Yes	Not set	If this key is set, NDES uses this value as the certificate template name when clients enroll for a signing certificate.
EncryptionTemplate	Yes	Not set	If this key is set, NDES uses this value as the certificate template name when clients enroll for an encryption certificate.
SigningAndEncryptionTemplate	Yes	Not set	If this key is set, NDES uses the value as the certificate template name when clients enroll for a signing and encryption certificate, or when the request does not include any extended key usage.

Note
When you modify any of these settings, you must stop and restart IIS in order for them to go into effect.

Before installing NDES, you need to decide:

• Whether to set up a dedicated user account for the service or to use the Network Service account.
  
• The name of the NDES registration authority and what country/region to use. This information is included in any MSCEP certificates that are issued.
  
• The cryptographic service provider (CSP) to use for the signature key used to encrypt communication between the CA and the registration authority.
  
• The CSP to use for the encryption key used to encrypt communication between the registration authority and the network device.
  
• The key length for each of these keys.
  

In addition, you need to create and configure the certificate templates for the certificates used in conjunction with NDES.

Installing NDES on a computer creates a new registration authority and deletes any pre-existing registration authority certificates on the computer. Therefore, if you plan to install NDES on a computer where another registration authority has been configured, any pending certificate requests should be processed and any unclaimed certificates should be claimed before NDES is installed.

For more information about using the Network Device Enrollment Service, see Use the Network Device Enrollment Service and Online Responder Installation, Configuration, and Troubleshooting Guide.

For information about other features in Active Directory Certificate Services, see Active Directory Certificate Services Role.