Partager via


So you want to test your NDES/SCEP certificate enrollment?

SCEP (Simple Certificate Enrollment Protocol) and NDES (Network Device Enrollment Service) are the mechanisms we currently use to deploy certificates to our mobile devices via Intune and Configuration Manager. The tech is very (very) cool, but for the average ConfigMgr admin it’s got quite a steep learning curve.

Once you (kinda) understand how it all works, you’ll begin to test your configuration. Testing NDES and SCEP is a pain in the neck, as there are so many moving parts. Worst is having to troubleshoot certificate enrollment on the tiny screens of your mobile devices.

Luckily, we can test & troubleshoot via our Windows workstations.

In my scenario, I’ve got an NDES server hosted in Azure. I know the NDES server is ‘up’ as browsing the URI works fine (https://ndes.mydomain.com/CertSrv/mscep). I want to test that the NDES certificate template is deployed correctly, and the certificate is valid.

First, you’ll need to create an .inf file that will hold some request information. It should include the requests Subject name and the RequestType as a minimum. You can also add all the optional attributes you want or need. For example, my NDES template has a minimum key length of 2048, so I needed to add the KeyLength attribute too. (Certreq.exe INI File Structure)

request.inf

[NewRequest]
Subject = “CN=TestNDESCert”
RequestType = SCEP
KeyLength = 2048

Once we have our request .inf, we need to create a certificate request. From a command line with Admin elevation

certreq –v –config ndes.mydomain.com –username MYDOMAIN\Administrator –p Password –new request.inf scepRequest.req

Lets break this down.

certreq –v –config ndes.mydomain.com is my NDES server that’s publically available. The certreq documentation notes that to use https you must specify the URI instead of the FQDN, however in my testing on Windows 10 I could not get https to work. From my tracing I found certreq dropping a “https://” in-front of any URL that I passed into the command-line. SO, if you’re using https, you may have to enable http for this sort of testing.

-username MYDOMAIN\Administrator –p Password is my test users username and password

-new request.inf scepRequest.req is the verb calling a new request feeding my request.inf (created above) and an output file scepRequest.req

You should get something like this back from the command

image

If you now check on the CA, you should see a certificate has been issues to this client

image

Now that we have our request, we need to submit it to the NDES server to receive our certificate.

certreq -v -config ndes.sa.mattslabs.com -submit scepRequest.req scepCert.cer

This is pretty straight forward. Submit the newly created scepRequest.req request file, and receive a certificate scepCert.cer from the NDES server.

Finally, install the certificate and view it in your Certificates – Current User MMC snap-in

certreq -accept scepCert.cer

image

SNAGHTML182d5ef1

Happy testing!

Matt Shadbolt

Comments

  • Anonymous
    October 09, 2015
    When I test generating a request using your request.inf, I get:

    [NewRequest] RequestType = "SCEP" != "PKCS10"
    [NewRequest] RequestType = "SCEP" != "PKCS7"
    [NewRequest] RequestType = "SCEP" != "CMC"
    [NewRequest] RequestType = "SCEP" != "Cert"
    Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87)
    request.inf([NewRequest] RequestType = "SCEP")

    None of the documentation seems to mention "SCEP" as being a valid value. When I try a value like PKCS10, I get an apparently valid CSR generated, but when I try to send (-submit) it to my SCEP-enabled server, I get the same CSR wrapped in a SOAP envelope, which is not a valid SCEP message. (Maybe a SCEP CMSSignedData wrapped in a SOAP envelope would be valid because, after all, the SCEP spec doesn't specify the content type, just that it contain a CMSSignedData.) I thought that maybe I just didn't have the right version of certreq, but i applied all of the Windows updates, and "SCEP" is still a rejected value for RequestType.

    How are you getting the "SCEP" value to work?
  • Anonymous
    October 12, 2015
    The comment has been removed
  • Anonymous
    October 14, 2015
    I was trying the request from Windows Server 2008.
  • Anonymous
    October 14, 2015
    I tried running CertReq -v /? on Windows 8.1 and 10, and found that both version list SCEP as a valid input. I guess Windows Server 2008 just doesn't have the support for SCEP in certreq. Thanks for your help.
  • Anonymous
    October 14, 2015
    Yeah cool. Sorry, I don't have an 8.1 client to test with but I'm glad you've got it working! Matt
    • Anonymous
      June 19, 2017
      How to consume challenge password (One time challenge generated by SCEP/NDES)?
  • Anonymous
    October 15, 2015

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON) ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.