none
NDES with Multiple CA Servers RRS feed

  • Question

  • Hi,

    We have 2-Tier PKI Architecture in On-Premises and we have Intune Service Running in  Azure. I would like to know is there any possiblity to use Multiple CAs from NDES to enroll certificates from Intune.

    Thanks in Advance

    //Bala R

    Tuesday, January 30, 2018 1:13 PM

Answers

  • Not tot he best of my knowledge. 

    - You are only able to implement a single NDES connector in the Intune environment (limiting you to a single NDES server)

    - You can only connect an NDES server to a single CA

    You would have to look at a more advanced MDM solution such as Airwatch that is able to connect directly to CAs using RPCs.

    Brian

    Tuesday, January 30, 2018 2:02 PM
  • Hi Bala,

    Your follow-up question is a bit ambiguous. I assume you mean to ask if it's possible to use NDES to issue certificates based on multiple certificate templates.

    The options to use multiple templates in an NDES Server are severely limited. You can specify one general purpose template, one Signing only template and one encryption template. You can find the controls for these templates in HKey_Local_Machine\Software\Microsoft\Cryptography\MSCEP.

    My suggestion would be to check if you really need multiple CAs and multiple templates. If you have the same attributes for the certificates (especially the extended key usage and subject name format requirements), you might just be fine with a single certificate template.

    Kind Regards,

    Wednesday, January 31, 2018 9:54 AM

All replies

  • Not tot he best of my knowledge. 

    - You are only able to implement a single NDES connector in the Intune environment (limiting you to a single NDES server)

    - You can only connect an NDES server to a single CA

    You would have to look at a more advanced MDM solution such as Airwatch that is able to connect directly to CAs using RPCs.

    Brian

    Tuesday, January 30, 2018 2:02 PM
  • Thank you Brian :)

    Is it possible to configure Multiple Templates in a single CA server?

    //Bala R

    Tuesday, January 30, 2018 11:31 PM
  • Hi Bala,

    Your follow-up question is a bit ambiguous. I assume you mean to ask if it's possible to use NDES to issue certificates based on multiple certificate templates.

    The options to use multiple templates in an NDES Server are severely limited. You can specify one general purpose template, one Signing only template and one encryption template. You can find the controls for these templates in HKey_Local_Machine\Software\Microsoft\Cryptography\MSCEP.

    My suggestion would be to check if you really need multiple CAs and multiple templates. If you have the same attributes for the certificates (especially the extended key usage and subject name format requirements), you might just be fine with a single certificate template.

    Kind Regards,

    Wednesday, January 31, 2018 9:54 AM