Registration Authority (RA)

Roles in a public key infrastructure

Understanding the roles involved is essential for designing a public key infrastructure.

The term "public key infrastructure" encompasses much more than the technical components and is often misleadingly used.

In summary, a public key infrastructure is both an authentication technology and the totality of all the components involved.

Selecting the identity for the IIS Network Device Enrollment Service (NDES) application pool.

If one installs a Network Device Enrollment Service (NDES), one is faced with the question under which identity the IIS application pool should be operated. In the following, the individual options are examined in more detail in order to facilitate a selection.

Basics: Enroll on Behalf of (EOBO)

The following is a description of the Enroll on Behalf Of function and how it differs from other methods of applying for certificates.

Requesting certificates via Enroll on Behalf of (EOBO) is not possible because the certificate template is not displayed. The error message is "The certificate template requires too many RA signatures."

Assume the following scenario:

A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
One uses here the Enroll on Behalf of (EOBO) Mechanism.
The desired certificate template is not displayed.
If you check the "Show all templates" checkbox, the following error message will be displayed for the desired certificate template:

The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request.

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Renew the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES).

Once NDES has been in operation for some time (typically two years), one is faced with the challenge of renewing the Registration Authority (RA) certificates. Unfortunately, this process is not necessarily solved intuitively and is therefore described in more detail in this article.

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect."

Assume the following scenario:

An NDES server is configured on the network.
HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
The events no. 2 and 10 stored in the application event log:

The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

Moving Network Device Enrollment Service (NDES) to another certification authority

Assume the following scenario:

There is one NDES instance installed on the network.
The Certification Authority issuing to NDES is to be changed.

The official statement on this is that NDES must be reinstalled and reconfigured in this case. However, this is not necessary. The necessary steps are described below.

Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).

The Network Device Enrollment Service (NDES) uses two certificate templates for its internal function to make it act as a Registration Authority (RA). These are published during role configuration of the NDES service on the configured certificate authority and certificates are requested:

CEP Encryption
Exchange Enrollment Agent (Offline Request)

These certificate templates are standard templates from the Windows 2000 world (version 1 templates), i.e. they cannot be edited. In addition, the Exchange Enrollment Agent (Offline Request) template is marked as a user template, i.e. during NDES role configuration the certificate is requested in the context of the installing user and then imported into the machine store. At the latest when the certificates are to be renewed after two years, things get complicated here.

It is therefore a good idea to use your own certificate templates for NDES. These can be adapted in terms of their key length, for example. The use of hardware security modules (HSM) is also possible in this way. Even automatic renewal can be configured.