NDES automated renewal of existing certificate via SCEP not working
Hi there, we are currently testing the following scenario (which we already had working) - the goal is an automated renewal of existing certificates by Cisco iOS-Devices. The renewal is working, but needs a manual issuing of the certificate on the CA (pending approval). As stated by the NDES whitepaper, an automatic renewal signed with the existing certificate should be supported: The NDES supports certificate renewal where a device uses a previously issued certificate to validate new certificate request. This feature is supported on Windows Server 2008 R2, Windows Server 2008 Service Pack 2, or on Windows Server 2008 with the KB959193 hotfix installed (http://support.microsoft.com/kb/959193). By default, when you request a certificate renewal by using this feature, the signer certificate must have the same subject name and alternate subject name as the requested certificate. To circumvent this requirement, set the value of the DisableRenewalSubjectNameMatch registry value to 0x1. Note that for the certificate renewal the NDES deviates from SCEP specification and doesnt verify that certificate being renewed has passed half of its validity period. Some Information about our current environment: Windows Server 2008 R2 Active Directory Certificate Services Root- / Issuing-architecture, Issuing-CA is an Enterprise CAHotfix 353391 / KB2483564 installed http://support.microsoft.com/kb/2483564/en-us Network Device Enrollment Services (on Issuing-CA) No Password (EnforcePassword = 0)Custom templates for CEP Encryption / Exchange EnrollmentATM testing with Default Templates CEP Encryption / Exchange Enrollment Agent (Computer) Custom Device-Template Windows Server 2008, Duplicate of IPSec(OfflineRequest)RSA 4096, SHA256Subject name = Supply in request & Use subject information from existing certificates)Issuing requirements: CA certifiate manager approval, For reenrollment valid existing certificateNDES account= Read/Enroll What we already tried Using different subject names in the request (with / without serial number)Enabling the DisableRenewalSubjectNameMatch - switchDeactivating the "Use subject information from existing certificates" - switchSwitching the device template to SHA1 Maybe someone has an idea, what could be the problem. Thanks, MMF
May 14th, 2012 2:05am

Hi, What is the Windows OS you are using? Can you check the below: During the certificate renewal process, when the request fails do you recieve an error message that resembles the following: "The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag" Regards, Gargi
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 3:04am

Hi, What is the Windows OS you are using? Can you check the below: During the certificate renewal process, when the request fails do you recieve an error message that resembles the following: "The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag" Regards, Gargi
May 14th, 2012 3:15am

Hi, sorry, I forgot to mention, that the request is stated as pending (and the enrollment is working, if a CA administrator issues the certificate manually). And no, the error message is not shown, as we have implemented the hotfix. Thanks for your answer, MMF
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 4:16am

As the certificates include a SAN, we also tried certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
May 14th, 2012 4:24am

Hi, sorry, I forgot to mention, that the request is stated as pending (and the enrollment is working, if a CA administrator issues the certificate manually). And no, the error message is not shown, as we have implemented the hotfix. Thanks for your answer, MMF
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 4:27am

As the certificates include a SAN, we also tried certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
May 14th, 2012 4:35am

Thanks for explaining your scenario, I am working on this. Can you in the meanwhile let me know, whether you are using a standalone CA or an enterprise CA? And while renewing the certificate make sure that the below switch is not set to 1: HKLM\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 5:40am

Thanks for explaining your scenario, I am working on this. Can you in the meanwhile let me know, whether you are using a standalone CA or an enterprise CA? And while renewing the certificate make sure that the below switch is not set to 1: HKLM\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch
May 14th, 2012 5:52am

Pssible root cause of this issue is: Custom Device-Template Windows Server 2008, Duplicate of IPSec(OfflineRequest) RSA 4096, SHA256 Subject name = Supply in request & Use subject information from existing certificates) Issuing requirements: CA certifciate manager approval, For reenrollment valid existing certificate NDES account= Read/Enroll I checked an IPSec template and found that by default it doesnot have the "CA Manager approval" setting enabled but your custom made template(duplicate of IPSEc(OfflineRequest) has it. Enabling "CA certificate manager approval" means that the certificate will be placed into a pending state, rather than being issued immediately. In its pending state, the certificate request can be reviewed by certificate managers, ensuring a higher level of assurance for the issued certificate. Can you please uncheck this setting from the duplicate template, update the changes and try renewing and check if it resolves your problem? Regards, Gargi
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 7:02am

Pssible root cause of this issue is: Custom Device-Template Windows Server 2008, Duplicate of IPSec(OfflineRequest) RSA 4096, SHA256 Subject name = Supply in request & Use subject information from existing certificates) Issuing requirements: CA certifciate manager approval, For reenrollment valid existing certificate NDES account= Read/Enroll I checked an IPSec template and found that by default it doesnot have the "CA Manager approval" setting enabled but your custom made template(duplicate of IPSEc(OfflineRequest) has it. Enabling "CA certificate manager approval" means that the certificate will be placed into a pending state, rather than being issued immediately. In its pending state, the certificate request can be reviewed by certificate managers, ensuring a higher level of assurance for the issued certificate. Can you please uncheck this setting from the duplicate template, update the changes and try renewing and check if it resolves your problem? Regards, Gargi
May 14th, 2012 7:02am

Hi Gargi, thanks. The CA manager approval is meant to provide a means to protect a first time enrollment. The reenrollment with an existing certificate should enable it to get a certificate without approval. This is standard behaviour. Without having tested it, I am sure, that the CA will isse the certificate if I untick the CA manager approval checkbox. But then - how would I protect the first enrollment? MMF
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 7:13am

Oh, and it's an enterprise CA.
May 14th, 2012 7:13am

Hi Gargi, thanks. The CA manager approval is meant to provide a means to protect a first time enrollment. The reenrollment with an existing certificate should enable it to get a certificate without approval. This is standard behaviour. Without having tested it, I am sure, that the CA will isse the certificate if I untick the CA manager approval checkbox. But then - how would I protect the first enrollment? MMF
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 7:13am

Oh, and it's an enterprise CA.
May 14th, 2012 7:13am

You protect the enrollment in SCEP by limiting who has access to the MSCEP_Admin Web page to get the Password used during initial SCEP enrollment. When you use SCEP, you should *NOT* be using the CA manager approval flag. Brian
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 8:09am

Hi Brian, this would allow an administrator to issue certificates with any hostname possible. Also, we would need to provide a password to several thousand routers, which could be easily stolen and used to provision new routers. I would prefer the admin approval and then renewal with a signed request :) To get this straight - "should *NOT*" equals "not supported"? As I said, we tested said scenario (first time approval) and it was working then (or at least we think so ;) EDIT: When I disable the CA certificate manager approval, Require the following for reenrollment is greyed out. Seems strange to me, as it would not allow the router to reenroll without a new SCEP password (which is just valid for 60 min)? Thanks for your help, MMF
May 14th, 2012 8:35am

Ok, last one, as the solution is applicable for us :) We unticked CA certificate manager approval and reconfigured NDES to use the passwords. No we just need to implement the new security permissions on the mscep_admin-Page and that's it. Not the solution we had in mind, but a working one. Many thanks to both of you, Gargi and Brian. Best regards, MMF
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 9:27am

Ok, last one, as the solution is applicable for us :) We unticked CA certificate manager approval and reconfigured NDES to use the passwords. No we just need to implement the new security permissions on the mscep_admin-Page and that's it. Not the solution we had in mind, but a working one. Many thanks to both of you, Gargi and Brian. Best regards, MMF
May 14th, 2012 9:27am

Unfortunately, it's not working as expected. The NDES-server is generating this event, the router's renewal fails. A WireShark - capture shows, that the Cisco router sends first a signed PKCS7-container which contains the device certificates , before trying the renewal for five times. The GetCACaps-request is also answered by the CA, the template is now configured to NOT need CA certificate admin approval, and NDES is configured to use mandatory, alternating passwords. The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name. Thx, MMF
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 4:19am

Unfortunately, it's not working as expected. The NDES-server is generating this event, the router's renewal fails. A WireShark - capture shows, that the Cisco router sends first a signed PKCS7-container which contains the device certificates , before trying the renewal for five times. The GetCACaps-request is also answered by the CA, the template is now configured to NOT need CA certificate admin approval, and NDES is configured to use mandatory, alternating passwords. The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name. Thx, MMF
May 15th, 2012 4:32am

Hi, I am summing up the changes that you need to do, let me know if all are done: 1) Enable Single Password mode as follows: Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword Name: UseSinglePassword Type: REG_DWORD Value: 1 2) Remove the CA manager approval from the duplicate IPSec template and update the change. 3)MAke sure that HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch is not set to 1.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 6:13am

Hi, I am summing up the changes that you need to do, let me know if all are done: 1) Enable Single Password mode as follows: Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword Name: UseSinglePassword Type: REG_DWORD Value: 1 2) Remove the CA manager approval from the duplicate IPSec template and update the change. 3)MAke sure that HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch is not set to 1.
May 15th, 2012 6:26am

Hi Gargi, why should I need the UseSinglePassword-Mode? The request is signed, and the password should not be reused at all as this is a serious security problem. This configuration is working now - we do not know why the subject matching fails. Tested it with very short-lived certificates and with approx. 200 renewals :) UseSinglePassword = 0 DisableRenewalSubjectNameMatch = 1 EnforcePassword = 1 Subject Name, Supply in the request = Enabled Subject Name, Use subject information from existing = Disabled CA certificate manager approval = Disabled Thanks for your help, maybe our testing will benefit someone else. This should also be documented in Technet and the Whitepapers, as it would have saved days of research and testing :) (oh, and maybe someone can mark this as the answer) MMF
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 2:50am

Hi Gargi, why should I need the UseSinglePassword-Mode? The request is signed, and the password should not be reused at all as this is a serious security problem. This configuration is working now - we do not know why the subject matching fails. Tested it with very short-lived certificates and with approx. 200 renewals :) UseSinglePassword = 0 DisableRenewalSubjectNameMatch = 1 EnforcePassword = 1 Subject Name, Supply in the request = Enabled Subject Name, Use subject information from existing = Disabled CA certificate manager approval = Disabled Thanks for your help, maybe our testing will benefit someone else. This should also be documented in Technet and the Whitepapers, as it would have saved days of research and testing :) (oh, and maybe someone can mark this as the answer) MMF
May 16th, 2012 3:01am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics