This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 74%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELF%3C/text%3E%3C/svg%3E)
I have a Standalone CA Server configured with NDES role service to support SCEP.
Certificate enrollment from Cisco routers work fine with SCEP.
Cisco is using a process named shadow renewal tied to CA cert rollover :
Rollover is a special case where the CA certificate expires and a new CA certificate is generated. The CA generates a new CA certificate which becomes valid once the current CA certificate expires. The CA usually generates this "Shadow CA" certificate some time prior to rollover time, because it is needed in order to generate "Shadow ID" certificates for the clients.
When the SCEP client's ID certificate approaches expiration, the SCEP client queries the CA for the "Shadow CA" Certificate. This is done with the GetNextCACert operation as shown here:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert
It looks to me that this is not supported by the CA server or it is not configured properly to support this, because I get the below message on the router :
Checking Win32 API doumentation, scpecifically the ICertRequest interface definition the GetNextCACert member is not documented, while it is specified in SCEP RFC chapter 5.5.3 "Get Next Certificate Authority Certificate"
Dear Microsoft, is this call supported by NDES or not at the end ? If yes, what configuration is required for this operation at NDES side ?