Hi, I have been looking a the possibility of using a different CA other than Microsoft CA with NDES. Its not because Microsoft CA is no good, its because the CA I am looking to integrate also provide other services like digital signature creation, verification etc hence it makes one stop for clients to generate end user certificates, signing, device certificates etc. I am analyzing this is for both SCEP based enrollment and renewing. I have read the white paper (http://www.scribd.com/doc/31941679/Microsoft-SCEP-Implementation-Whitepaper#outer_page_14) and also the details of the ICertRequest interface on msdn. My assumption is that if ONLY this interface is implemented and installed on the machine running NDES then via this I can communicate with any other CA and get the generated certificate and return it back to NDES. Is this technically possible? If yes are there any other interfaces to be implemented? If not then this means that the only way is to get the CA to implement SCEP just like Microsoft has done it :( Regards, Wahaj

3rd party CA must implement MS-WCCE communication protocol (which includes ICertRequest interface implementation). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, SCEP enables network devices to enroll for x509 version 3 certificates from a CA. The ASA can proxy SCEP requests between AnyConnect and a third-party CA. The ASA supports SCEP-Proxy for AnyConnect clients. For more information, I also would like suggest you refer to the below link: Unified Device Authentication and Consistent Access Experience http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/UA_Security.html Regards, Yan Li Yan Li TechNet Community Support

Hi, SCEP enables network devices to enroll for x509 version 3 certificates from a CA. The ASA can proxy SCEP requests between AnyConnect and a third-party CA. The ASA supports SCEP-Proxy for AnyConnect clients. For more information, I also would like suggest you refer to the below link: Unified Device Authentication and Consistent Access Experience http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/UA_Security.html Regards, Yan Li Yan Li TechNet Community Support A topic starter asked about NDES usage with non-Windows CA. NDES communicates with CA by using MS-WCCE protocol (as said in previous post). SCEP is used only for communications between device and NDES (which actually implements SCEP).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks Vadims, Looks like it would be a tough call for the CA integrator. Unfortunately the CA was written in Java hence it won't be easy. I am not an MS WCCE expert so not sure how much to implement but my gut feeling says that it will be a lot to implement and implement SCEP with open source API and making a new RA out weighs implementing MS-WCCE interface which bridges between NDES and the CA.

You need to contact your CA vendor to indetify which communication protocols they support and find appropriate SCEP server (there are few open-source Java-based SCEP servers which you can try) which supports these protocols. As Windows CA implements only MS-WCCE, any SCEP server MUST use it for communications with CA. MS-WCCE protocol (it is open-source protocol) details can be found here: http://msdn.microsoft.com/en-us/library/cc249879(PROT.10).aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki