pdf icon
Category Filter
x

Simple Certificate Enrollment Protocol (SCEP)

Simple Certificate Enrollment Protocol (SCEP) is a protocol standard used for certificate management. SCEP is predominantly used for Certificate-based authentication, whereby access to services such as Wi-Fi, VPN and securing e-mail through encryption is carried out using certificates.

The major advantages of certificate-based authentication are:

  • Zero-user intervention as users are authenticated via certificates.
  • Secure network communication as the data is encrypted and authenticated using certificates.

However, to manually distribute certificates is a cumbersome task for IT administrators in large-scale organizations. SCEP helps network administrators to easily install certificates in devices. SCEP provides a simplified and scalable method for handling certificates in large organizations. The difference between Certificate and SCEP is that SCEP policy is used for distributing client certificates to devices while Certificate policy distributes the CA certificates to devices.

Pre-requisites

Configure Certificate Template
  1. Click on Start Menu, select Run, type mmc and click OK.
  2. Click File and select Add/Remove Snap-in....Select Certificate Templates, click Add and then click OK.
  3. Configure SCEP for Windows Step 1    Configure SCEP for Windows Step 2

  4. Right click Certificate Template and select Manage.
  5. Click on User and select Duplicate Template.
  6. Configure SCEP for Windows Step 3

  7. Specify a Template display name and save it by clicking OK.
  8. Configure SCEP for Windows Step 4

  9. Click on Extensions,select Application Policies. Click Edit and select Client Authentication, to add it to Application Policies.
  10. Configure SCEP for Windows Step 5

    Configure SCEP for Windows Step 6

    Configure SCEP for Windows Step 7

    Configure SCEP for Windows Step 8

  11. Click on Cryptography and specify the Minimum key size. The recommended key size is 2048, as it enhances the security. This key size is to be specified while configuring SCEP in MDM.Kindly note the minimum key size which is to be specified in the MDM Server while configuring SCEP.
  12. Configure SCEP for Windows Step 9

  13. Click on Security and select the Group(s), to which the policy is to be applied. Ensure Enroll is an allowed permission for the selected domain(s).
  14. Configure SCEP for Windows Step 10

  15. Click on Subject Name and select Supply in the request, for subject names to be specified in the certificate request.
  16. Configure SCEP for Windows Step 11

Map Certificate Template to SCEP
  1. Add Certificate Authority as a snap-in in the Microsoft Management Console(MMC).
  2. Configure SCEP for Windows Step 12    Configure SCEP for Windows Step 13

  3. Expand Certification Authority and right-click on Certificate Templates. Click New and select Certificate Template to Issue.
  4. Configure SCEP for Windows Step 14

  5. Select the Certificate Template created before and click OK.
  6. Configure SCEP for Windows Step 15    Configure SCEP for Windows Step 16

    To change the default certificate template used by Microsoft NDES, windows registry values are to be changed.

  7. Click on Start Menu, select Run, type regedit and click OK.
  8. Expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP.
  9. Right-click on Encryption Template and click Modify.
  10. Configure SCEP for Windows Step 17

  11. Specify the name of the created Certificate Template for Value date. Repeat the same for GeneralPurposeTemplate and SignatureTemplate. Restart the server machine once for the changes to take place.
  12. Configure SCEP for Windows Step 18

Prevent challenge password expiry

If you're using Challenge password(recommended), then registry values must be modified to prevent expiry of Challenge password.

  1. Open regedit and expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> UseSinglePassword.
  2. Right-click UseSinglePassword and change the value of data as 1.
  3. Configure SCEP for Windows Step 19

    If you're using Challenge password(recommended), then registry values must be modified to prevent expiry of Challenge password.

    After configuration is complete, restart the NDES Server.

Configuring SCEP in MDM

  1. The value for Subject should be in LDAP DN format as explained here.
  2. You can verify Server details such as enrollment challenge password from http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll
  3. Allow Full Control permission to the account used to run NDES for the HKEY_LOCAL_MACHINE\Microsoft\Cryptography\MSCEP registry key. This step is only required if you have installed NDES's KB959193 hotfix.
  4. If the SCEP server is unreachable, try accessing the SCEP server URL in the format http://<your-server>/CertSrv/mscep/mscep.dll from the device. If the URL can not be reached, try accessing the URL after connecting to a local WiFi and then distribute the profile.

Profile Description

Profile Specification Description
SCEP Configuration Name The user-defined configuration name, which is used to refer this configuration in other configurations such as Wi-Fi, VPN etc.,
SCEP SETTINGS
Server URL The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the SCEP server is within the organization network and not exposed to external networks. The certificate is requested through this URL.
For NDES, the server URL format: http://<your-server>/CertSrv/mscep/mscep.dll
Subject Specify the details(%username%, %email%, %domainname%,%devicename%) to map the corresponding details in the device.
Thumbprint(Hash Value) The thumbprint value is used for verifying the CA identity, if the Server URL is specified as HTTPS. Used for securing the communication between the devices and the CA. The value for thumbprint is usually available in https:///CertSrv/mscep_admin.
Key Usage Specify whether key is to be used for Digital Signature, Key Encipherment or both.
Subject Alternative Name Type >Specify the alternate details(RFC 822 Name, DNS Name, URI and UPN).
>RFC 822 Name: Formal definition of an e-mail address. Example: user_name@domain.com
>Domain Naming System(DNS) Name: Refers to the common nomenclature used for systems, services and/or other resources. Example: server-name.domain.com
>Uniform Resource Identifier(URI): Refers to the naming system used for identifying a resource. Contains both URLs and URNs. Example: ftp://domain.com/user.txt
>User Principal Name(UPN): Refers to the system user name in the Active Directory, whose format is similar to that of e-mail. Example: user_name@domain.com
Subject Alternative Name Value (Can be configured only if Subject Alternative Name is configured) Specify the value for the alternative name type.
Maximum Number of Failed Attempts Number of attempts to obtain the certificate from the CA.
Time interval between attempts Time to wait before subsequent attempts to obtain certificate
Challenge Type A pre-shared secret key provided by the CA, which adds additional layer of security
Enrollment Challenge Password (Can be specified, only if Challenge Type is configured as Static) Provide the challenge password to be used. Challenge Password can be identified as explained here.
Key Size Specify whether the key is 1024 or 2048 bits.
Jump To