Moving Network Device Enrollment Service (NDES) to another certification authority

Assume the following scenario:

  • There is one NDES instance installed on the network.
  • The Certification Authority issuing to NDES is to be changed.

The official statement on this is that NDES must be reinstalled and reconfigured in this case. However, this is not necessary. The necessary steps are described below.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Configure target certification authority

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

On the target certification authority, the SubjectTemplate configuration setting must be extended by three values if it was not previously used with NDES:

  • UnstructuredName
  • UnstructuredAddress
  • DeviceSerialNumber

This can be done with the following command line commands.

certutil -setreg CA\SubjectTemplate +UnstructuredName
certutil -setreg CA\SubjectTemplate +UnstructuredAddress
certutil -setreg CA\SubjectTemplate +DeviceSerialNumber

Afterwards, the certification authority service must be restarted.

Customize NDES configuration

The certification authority is configured in the format {Servername}\{Common-Name-of-CA} under the value "Configuration" below the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\CAInfo

If only the server name has changed, the NDES configuration can now be re-read using the iisreset command.

Renew Registration Authority (RA) certificates

However, if it is a completely different certificate authority, NDES will refuse service because the Registration Authority certificates must come from the same certificate authority.

In this case, new Registration Authority certificates must be requested from the new certification authority. Setting up your own RA certificates is described in the article "Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES)." described.

It is also important here that the authorization to the private keys for the identity of the SCEP application pool are set again.

When the certificates are requested via the Microsoft Management Console (MMC), a certification authority is selected at random. This means that the certificates could potentially come from the wrong certificate authority if the templates are offered on multiple certificate authorities.

Afterwards the NDES configuration can be read in again by means of the iisreset command.

NDES should now work as desired.

Related links:

2 thoughts on “Network Device Enrollment Service (NDES) auf eine andere Zertifizierungsstelle umziehen”

Comments are closed.

en_USEnglish