SCEP Server Configuration

The Certificate Management Tool can support the Network Device Enrolment Service (NDES) on the following operation systems.

  • Windows Server 2022 Standard/Datacenter (64-bit)

  • Windows Server 2022 R2 Standard/Datacenter (64-bit)

SCEP functionality has been tested with Microsoft's Certificate Authority with Network Device Enrolment Services (NDES) installed. For the SCEP calls to function, you must disable password enforcement by updating the following registry key on the Certificate Authority Server:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword = 0

When creating certificates for the device, they should be created using a webserver certificate template. If the certificate is created with the wrong intended purpose (it should be "Server Authentication"), it will fail to work with the application it is associated with (e.g. not being able to log into the device when a certificate that is not for "Server Authentication" is associated with SSL).

Follow these instructions to configure NDES to hand out WebServer certificates for SCEP requests:

  1. Open Registry Editor on the CA and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.

  2. Change the values of the following registry keys to the name of the template:

  • EncryptionTemplate
  • GeneralPurposeTemplate
  • SignatureTemplate

  1. The values for these keys should be set to the name of the web server template (do not confuse the web server template name with the web server template display name).

Configuring the Internet Information Service

By default, IIS 10 security is too restrictive to permit the devices to enroll via SCEP.

For the Certificate Management Tool, IIS configuration must be updated using the command below (default maxQueryString is 2048):

%systemroot%\system32\inetsrv\appcmd.exe set config/section:system.webServer/security/requestFiltering / requestLimits.maxQueryString:"4096"/commit:apphost

Create a private key certificate for SCEP

  1. Click [Start], type "mmc" in the [Search programs and files box], and then press the Enter key.

  2. Select [File] → [Add/Remove Snap-in]. Select [Certificates], and then click [Add].

  3. Select [Computer Account], click [Finish], and then click (OK).

  4. Expand [Certificates (Current User)] and select [Personal].

  5. Right-click in the main window and select [All Tasks] → [Request New Certificate].

  6. Create a new User certificate.

  7. Select the new certificate, right-click, and select [All Tasks] → [Export].

  8. Export with the private key included in PKCS #12 format and password-protect it.

  9. Save the file where it can be accessed by the Certificate Management Tool.