I have the chance to install Microsoft Network Device Enrollment Service SCEP on windows server 2008 R2 . During the enrollment , the wizard will ask for a service name ( ServiceSCEP) that will be used to run the IIS Application Pool , and it will enroll for two certificates from those templates
- Exchange Enrollment Agent (Offline request)
- CEP Encryption
Well, I don’t like certificates generated from default templates , as those templates will enroll for certificates with validity equals 2 years , and the key is not exportable , so you cannot distribute it to multiple nodes in case of HA.
Instead I would like to create my own version of those templates , with more validity time and with (key can be exported) feature . I would like to name my templates according to our own naming standard also.
Guess what !! These certificate templates are hard-coded to the Network Device Enrollment Service setup and cannot be modified.
Gr8 Indeed Microsoft !!! Surprising as usual !
Well , Microsoft has published an article about how to create your own certificates from those built-in default certificate templates ( so yes , they are valid for 2 years only and you cannot change their names nor create your own certificate templates ) after you run the installing wizard , and then delete those created by the installation wizard , reset IIS , and all should be working .
The blog article is here .
At least using this method , you can choose to request that the keys are exportable and you can share them across your SCEP pool servers.
Even after following the steps on the blog , it seems not working , and I got errors :
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
And not only me complaining about this , you can check this post to see how things get worst
What worked for me ?
- Install the SCEP services normally
- Add the ( ServiceSCEP) to the local administrators group
- Log on to the server using the (ServiceSCEP) account.
- Open IE, go to http://servername/certsrv
- enroll for two certificates from (Exchange Enrollment Agent (Offline Request) and (CEP Encryption) )
- Open MMC , add certificates , choose local computer store and user store.
- Drag (Move) the two issued certificates from the (serviceSCEP) user personal store to the computer personal local store.
- Log off .
- Log on to the server with your admin account , remove (ServiceSCEP) from the local administrators group.
- Reset IIS
- Now open IE , browse to http://localhost/certsrv/mscep_admin, and it should be working.
What to do next ?
Remember to renew those certificates after 2 years.