This topic has not yet been rated - Rate this topic

AD CS: Managing Network Device Enrollment Service

Published: August 25, 2010

Updated: August 25, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic describes procedures for NDES management tasks and NDES configuration.

In this topic:

Configuring service certificate templates
Renewing service certificates
Configuring custom device certificate templates
Backing up NDES
Configuring NDES

Configuring service certificate templates

NDES uses two certificates, for signing and encryption. During setup certificates are requested for NDES based on the Exchange Enrollment Agent (Offline Request) and the CEP Encryption certificate templates, which are required during setup.

Any time after setup you can create custom service certificate templates for NDES.

To create custom service certificates:

Create two certificate templates for signing and encryption by duplicating the Exchange Enrollment Agent (Offline Request) and the CEP Encryption certificate templates. Follow the procedure described in Create a New Certificate Template. When prompted, select Windows Server 2003 for the minimum CA version. Make changes to the certificate template properties to meet your requirements.
Assign the new certificate templates to a CA. See Add a Certificate Template to a Certification Authority
Enroll for the new encryption and signing certificates from the NDES computer by using the Certificates snap-in for the computer account. See Add the Certificates Snap-in to an MMC and Request a Certificate.
Grant the NDES service account Read permissions on the private keys of both new certificates by using the Certificates snap-in for the computer account. In the Personal folder, right-click the new certificate, point to All tasks, and click Manage private keys. Allow Read access for the NDES service account.
Restart IIS.

Renewing service certificates

To renew NDES service certificates:

Enroll for the Exchange Enrollment Agent (Offline Request) and the CEP Encryption certificates from the NDES computer by using the Certificates snap-in for the computer account. See Add the Certificates Snap-in to an MMC and Request a Certificate.

Note
If you are using custom service certificate templates, select those certificate templates instead of the default NDES certificate templates.
Grant the NDES service account Read permissions on both new certificates by using the Certificates snap-in for the computer account. In the Personal folder, right-click the new certificate, point to All tasks, and click Manage private keys. Allow Read access for the NDES service account.
Restart IIS.

Note
If you are using custom service certificate templates, select those certificate templates instead of the default NDES certificate templates.

Configuring custom device certificate templates

A request from a device to NDES specifies whether the request is for an encryption certificate, a signing certificate, or a certificate for both encryption and signing.

By default, NDES uses the IPSEC (Offline Request) certificate template for all three types of device certificate requests.

NDES can be configured to use a custom certificate template for each type of device certificate.

To configure custom device certificate templates:

Create a certificate template by duplicating the IPSEC (Offline Request) certificate template. Follow the procedure described in Create a New Certificate Template. When prompted, select Windows Server 2003 for the minimum CA version. On the Request Handling tab, specify the certificate purpose based on the type of certificate your device requires: encryption, signing, or both encryption and signing. Make changes to the certificate template properties to meet your requirements. Ensure the NDES service account has Read and Enroll permissions on the template.
Assign the new certificate template to the NDES configured CA. See Add a Certificate Template to a Certification Authority
Specify the name of the new certificate template in the appropriate registry setting and restart IIS. Review the descriptions for the EncryptionTemplate, SigningTemplate, and SigningAndEncryptionTemplate in Configuring NDES.

Backing up NDES

Two components of NDES should be backed up: NDES registry settings and service certificates.

To back up NDES registry settings, start a command prompt, type the command reg export HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP <MSCEPBackup.reg>, and press ENTER.

To back up NDES service certificates, export the service certificates and their private keys from the NDES computer’s personal certificate store by using the Certificate Export wizard in the Certificates snap-in. See Export a Certificate with the Private Key.

You can identify NDES service certificates by the Key Usage extension on the Details tab, which has the value Certificate Request Agent. If there are multiple signing and encryption certificates in the certificate store with Key Usage equal to Certificate Request Agent, NDES uses the newest valid certificate.

Note
If you upgraded to NDES from MSCEP in Windows Server 2003, the service certificates might be in the CEP certificate store. Review Upgrading to NDES from MSCEP in Windows Server 2003 and CertsInMyStore setting description in Configuring NDES.

Configuring NDES

NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.

Some registry keys and values described in the table are not defined during NDES setup. The default values described in the following table are used when a setting is not defined.

To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table.

Key name \ Value name	Value Data Type	Default value	Description
CacheRequest \ CacheRequest	DWORD	20	Number of minutes that issued certificates are kept in the SCEP database.
CAInfo \ Configuration	String	Based on setup	Specifies a CA configuration string that is used in enterprise NDES deployments. Configuration string format is <ComputerName>\<CAName>. Empty in standalone NDES deployments, which use a local CA.
CAType \ CAType	DWORD	Based on setup	Identifies the type of CA that NDES is linked to. The value 1 means it is an enterprise CA; the value 0 means it is a stand-alone CA.
CertsInMyStore \ CertsInMyStore	DWORD	Not set	MSCEP for Windows Server 2003 uses a custom certificate store named CEP to store service certificates. After upgrading to NDES, you can continue to use the CEP certificate store or specify that service certificates are stored in the MY certificate store for the computer. When set to 1, NDES uses the MY certificate store for the computer.
DisableRenewalSubjectNameMatch \ DisableRenewalSubjectNameMatch	DWORD	Not set	Renewal requests can be authenticated by using an existing device certificate to sign a renewal request instead of requesting a password from NDES. In the default configuration, NDES verifies the subject name and subject alternative name in the signing certificate matches the subject specified in the renewal request. When set to 0x1, the subject name and subject alternative name in the signing certificate can be different than the subject specified in the renewal request.
EnforcePassword \ EnforcePassword	DWORD	1	Defines whether passwords are required for enrollment requests. When set to 1 NDES requires a password for enrollment requests. When set to 0 (zero) passwords are not required.
HashAlgorithm \ HashAlgorithm	String	SHA1	Accepted values are SHA1 and MD5.
PasswordLength \ PasswordLength	DWORD	8	Specifies the length of passwords generated by NDES.
PasswordMax \ PasswordMax	DWORD	5	Maximum number of issued passwords in the password cache.
PasswordValidity \ PasswordValidity	DWORD	60	Number of minutes a password is valid.
PasswordVDir \ PasswordVDir	String	Not set	The name of the virtual directory that can be used for password requests. If set, NDES accepts password requests only from the defined virtual directory. If the value is empty or not configured, NDES accepts password requests from any virtual directory.
Refresh \ RefreshPeriod \RefreshPeriod	DWORD	7	Number of days that pending requests are kept in the NDES database.
SigningAndEncryptionTemplate	String	Not set	Specifies the certificate template name NDES uses to request a signing and encryption certificate for a device. If not set, NDES uses the IPSEC (Offline Request) certificate template.
SigningTemplate	String	Not set	Specifies the certificate template name NDES uses to request a signing certificate for a device. If not set, NDES uses the IPSEC (Offline Request) certificate template.
EncryptionTemplate	String	Not set	Specifies the certificate template name NDES uses to request a encryption certificate for a device. If not set, NDES uses the IPSEC (Offline Request) certificate template.
UseSinglePassword \ UseSinglePassword	DWORD	0x0	When set to 0x1, only one password is issued by NDES for all device certificate requests. When using a single password, it is recommended to increase the PasswordLength setting.

Community Additions

ADD