Use this guide to configure Outbound Simple Certificate Enrollment Protocol (SCEP) settings in a SecureAuth IdP realm.
The Network Device Enrollment Service (NDES) allows software on network and other devices that run without domain credentials to obtain certificates based on SCEP.
SecureAuth IdP supports both Outbound and Inbound from MobileIron SCEP calls.
Outbound SCEP Calls are made when an on-premises Certificate Authority (CA) is being utilized to issue certificates rather than the SecureAuth IdP Cloud Services. A user requests a certificate from SecureAuth IdP to access an application or VPN, and SecureAuth IdP then calls to the on-premises CA via SCEP to receive the certificate to provide access.
1. Have the Issuing CA running on Windows 2008 Enterprise edition
2. Have a pre-installed and functional SCEP / NDES service
3. The CA's root and intermediates certificate distribution point should be available to all clients (internal and / or external) to enable access to the AIA and CDP files (CRT and CRL files)
4. Have the SCEP / NDES Listener URL for SecureAuth IdP configuration
5. Access to the SecureAuth IdP Web Admin and all Realms requiring Outbound SCEP configuration
Issuing Certificate Authority Configuration Steps
1. Enable Auto Enrollment by opening the Certificate Authority from the Start menu
2. Right click the Issuing Certificate Name and click Properties
3. In the new window, click the Policy Module tab, and then click Properties
4. Select Follow the settings in the certificate template... and click OK
The SCEP / NDES server uses a single certificate template to issue all end-user certificates. To select which certificate template to use, complete the following the steps.
5. Open the Registry Editor on the CA and go to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
6. Change the values of the following registry keys to a common Template Name, e.g. SecureAuth
The Template Name will appear under the Data field, as shown in the image
The Template Name will be the name without spaces
There is a Template Display Name present, but it should not be used
7. Start a Command Prompt with Admin privileges on the SCEP server (Start, Cmd, Right Click, Run as Admin)
8. Type iisreset and press Enter to restart the IIS server
Certificate Template Configuration
Here is an example of the appropriate settings in a Windows 2008 Enterprise Certificate
Windows Server 2003 Enterprise and Windows 2008 Enterprise Certificate Templates can be used
The SCEP / NDES server can only use a single certificate template before the type of certificate delivered to the end-user is limited to the settings defined in the template
This includes key length and algorithm used, certificate validity period, Application Policy, etc.
The certificate key length must be the same in both the SCEP and SecureAuth IdP server configurations (1024 or 2048). A mismatch on either side will cause issues in delivering the certificate properly.
Click here for example...
SCEP / NDES Server Configuration Steps
1. Disable SCEP Enforce Password by updating the following registry key / value pair in the SCEP / NDES server: