Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates

I have the chance to install Microsoft Network Device Enrollment Service SCEP on windows server 2008 R2 . During the enrollment , the wizard will ask for a service name ( ServiceSCEP) that will be used to run the IIS Application Pool , and it will enroll for two certificates from those templates

  • Exchange Enrollment Agent (Offline request)
  • CEP Encryption

Well, I don’t like certificates generated from default templates , as those templates will enroll for certificates with validity equals 2 years , and the key is not exportable , so you cannot distribute it to multiple nodes in case of HA.

Instead I would like to create my own version of those templates , with more validity time and with (key can be exported) feature . I would like to name my templates according to our own naming standard also.

Guess what !! These certificate templates are hard-coded to the Network Device Enrollment Service setup and cannot be modified.

Gr8 Indeed Microsoft !!! Surprising as usual  !

Well , Microsoft has published an article about how to create your own certificates from those built-in default certificate templates ( so yes , they are valid for 2 years only and you cannot change their names nor create your own certificate templates ) after you run the installing wizard , and then delete those created by the installation wizard , reset IIS , and all should be working .

The blog article is here .

At least using this method , you can choose to request that the keys are exportable and you can share them across your SCEP pool servers.

Even after following the steps on the blog , it seems not working , and I got errors :

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error

And not only me complaining about this , you can check this post to see how things get worst


What worked for me ?

  1. Install the SCEP services normally
  2. Add the ( ServiceSCEP) to the local administrators group
  3. Log on to the server using the (ServiceSCEP) account.
  4. Open IE, go to http://servername/certsrv
  5. enroll for two certificates from (Exchange Enrollment Agent (Offline Request) and (CEP Encryption) )
  6. Open MMC , add certificates , choose local computer store and user store.
  7. Drag (Move) the two issued certificates from the (serviceSCEP) user personal store to the computer personal local store.
  8. Log off .
  9. Log on to the server with your admin account , remove (ServiceSCEP) from the local administrators group.
  10. Reset IIS
  11. Now open IE , browse to http://localhost/certsrv/mscep_admin, and it should be working.

What to do next ?

Remember to renew those certificates after 2 years.


2 comments on “Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates

  1. There’s a better way – create custom templates from CEP Encryption and Enrollment Agent (Computer) (v2 – MS Win Server 2003), enroll them with custom names and set Read-permissions for the NDES-service account on the private key. Provided – you are using certificates in the My-Store (NDES-config) and a custom service account.

  2. Pingback: inspired minds

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s