Hi : Im installing SCEP certificate role on windows server 2008 R2 machine , and i wondered if i can use my custom templates for the service certificates instead of the default ones : Exchange Enrollment Agent (Offline request) CEP Encryption So after looking here : http://blogs.technet.com/b/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx and here : http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/b46a637b-2401-4e32-aaa0-cce5e09b6f81 It turns out that others tried to play around and faced difficulties , and got to beleive that the certificate templates that SCEP uses are hardcoded , and you cannot deploy your own certificates with your custom templates ! And after reading Microsoft SCEP Implementation whitepaper , they declared it in the middle of the paper : "These certificate templates are hard-coded to the Network Device Enrollment Service setup and cannot be modified." The strange thing , that in the same white paper , there was a section named (Setting Up New Templates for the Service Certificates) , and this is a section from the white paper : "The service uses two certificates. The encryption certificate is based on the “CEPEncryption” template, and the signature certificate is based on the “Exchange Enrollment Agent (Offline Request)” template. Since these are version 1 templates, they cannot be modified. If the PKI administrator wants to change any of the service certificate templates, new ones will need to be created and enrolled. It is recommended that the default template be duplicated and the duplicated templates be used for enrollment." So , i tried to duplicate the built in certificate templates , enroll new certificates , put them on the computer store of the scep server , delete the old ones , and nothing is worked . So , anyone got an idea if we can use custome templates for SCEP service account templates !?! ammarhasayen

Yes, you can. For the initial enrollment, you use the default certificate templates (as discussed in the whitepaper) You can then enroll the two other certificates manually. One certificate is enrolled as the machine, the other is enrolled as the ndes service account (cannot remember which is which, but one is done by the service account). The one that was enrolled by the service account must be exported and then imported into the local machine store Finally, you must set permissions on both so that the NDES service account has Read permissions on both private keys through key permissions Brian

So i can duplicate the default templates and use my own templates if i consider your notes ? right ammarhasayen

Yes. You would duplicate for one of two reasons: 1) Extend the lifetime of the certificates 2) Implement an HSM to protect the private keys of the certificates Brian

Hi Brian, I'm presently facing the same issue of manually enrolling custom ndes service certificate templates to replace the default ones. I've successfully setup and tested the ndes service using the default templates. I've assigned my custom templates to the enterprise CA. When I attempt to enroll the custom service certificates from the RA only the custom Exchange Enrollment Agent (Offline request) certificate appears (in the user account>personal>certificates store) for enrollment and it requires additional information to complete the enrollment. What additional info? I cannot locate the CEP Encryption certificate anywhere, you mentions that its available for enrollment from the service account store but has not stated the sub-location. Can you please direct me to the correct location from which I can enroll the custom CEP Encryption certificate and how to move it to the local computer store? Thank you, Desmond