NDES and certificate renewal with a Windows Server 2003 Back-end CA

  • Article

With Windows Server 2003 MSCEP, you can enable your network devices to enroll for certificates.  Support for renewal is however fairly limited and is for the most part treated like a new enrollment. MSCEP also needed to be installed on the CA server itself whereas NDES in Windows Server 2008 can be installed separately from the CA server and it can even use a Windows Server 2003 CA as a back-end.

Up until now the options for the devices have been to either use an enrollment password that requires an admin to manually handle the enrollment or renewal process *or* to allow any network device to enroll for certificates (possibly controlled by a firewall for security purposes).

With Windows Server 2008 R2 the option to have the enrolling device use their existing certificate during the renewal process is added.  The administrator must still take care of the initial enrollment with the enrollment password but the renewals can be handled automatically by the device as it can use the existing certificate key pairs to identify itself.

This behavior has also been backported to Windows Server 2008 in hotfix 959193.

For a network device to be able to perform a certificate-based renewal, two things must be in place:

1. The client network device must support the updated SCEP standard that enables certificate-based renewal.

2. The NDES server must either be a Windows Server 2008 R2 or Windows Server 2008 with hotfix 959193 installed.

I.e. it’s no good just installing hotfix 959193 on your existing Windows 2008 NDES server and expecting the client to be able to renew their certificates as a result.  You also need to check the firmware on the device (the Cisco IOS for example) and confirm with the device vendor that certificate-based renewal is supported on that particular version of the firmware and update it if necessary.

Further details:

Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008
http://support.microsoft.com/kb/959193/en-us

Cisco Systems' Simple Certificate Enrollment Protocol http://tools.ietf.org/html/draft-nourse-scep-18

l