Remove From My Forums

NDES expired Exchange Enrollment Agent (Offline)

Question
0

Sign in to vote

Hi,

I have a problem with NDES and Exchange Enrollment Agent (Offline) certificate is expired.

Currently I know that I can`t renew a certificate. How can I generate a new one without reinstall NDES?

Friday, October 23, 2015 10:13 AM

Answers

1

Sign in to vote
The way that NDES works is it simply looks for the two certificates: CEP Encryption and Exchange Enrollment Agent (offline) to be in the machine store of the computer when the service starts.

You simply have to request new certificates.

1) For the CEP Encryption, log on as a local Administrator, open the Certificates MMC focused on the local computer, and request a new CEP Encryption certificate. Configure the subject name as MachineNetBIOS-MSCEP-RA

2) For the Exchange Enrollment Agent (Offline) certificate, log on as the NDES service account. Request the certificate using the Certificates MMC focused on the current user. Configure the subject name as MachineNetBIOS-MSCEP-RA

3) Export the Exchange Enrollment Agent (Offline) certificate as a PKCS#12 including the private key

4) Import the Exchange Enrollment Agent (Offline) certificate and private key into the local machine store

5) Assign the NDES service account Full control permissions on the two certificate's private keys.

Restart IIS and Recycle the NDES application pool

All should work again

Brian
- Proposed as answer by Steven_Lee0510 Monday, November 9, 2015 10:14 AM
- Marked as answer by Steven_Lee0510 Monday, November 9, 2015 3:01 PM
Friday, October 23, 2015 3:27 PM

All replies

1

Sign in to vote
The way that NDES works is it simply looks for the two certificates: CEP Encryption and Exchange Enrollment Agent (offline) to be in the machine store of the computer when the service starts.

You simply have to request new certificates.

1) For the CEP Encryption, log on as a local Administrator, open the Certificates MMC focused on the local computer, and request a new CEP Encryption certificate. Configure the subject name as MachineNetBIOS-MSCEP-RA

2) For the Exchange Enrollment Agent (Offline) certificate, log on as the NDES service account. Request the certificate using the Certificates MMC focused on the current user. Configure the subject name as MachineNetBIOS-MSCEP-RA

3) Export the Exchange Enrollment Agent (Offline) certificate as a PKCS#12 including the private key

4) Import the Exchange Enrollment Agent (Offline) certificate and private key into the local machine store

5) Assign the NDES service account Full control permissions on the two certificate's private keys.

Restart IIS and Recycle the NDES application pool

All should work again

Brian
- Proposed as answer by Steven_Lee0510 Monday, November 9, 2015 10:14 AM
- Marked as answer by Steven_Lee0510 Monday, November 9, 2015 3:01 PM
Friday, October 23, 2015 3:27 PM
0

Sign in to vote

Thank you for your answer Brian

Tuesday, November 10, 2015 10:48 AM
0

Sign in to vote

I just want to add to this old post and say this is the worst suggestion I have ever read by an MVP. It's 100% incorrect and should be removed as it's irresponsible.

You cannot export the private key on the Exchange Enrollment Agent (offline) cert and the check box to allow export is greyed out and can't be changed on the template.

Please correct your mistake.

Wednesday, November 28, 2018 9:39 PM
0

Sign in to vote

Sigh, duplicate the template, enable export, continue.

You really can't get help by criticizing people...

Brian

Thursday, November 29, 2018 3:26 AM
0

Sign in to vote

Hi Brian,

Kindly advice, can we also use the method mentioned in below link.

https://support.microsoft.com/en-in/help/2712186/renewal-of-enrollment-agent-certificate-used-by-ndes-may-fail

Regards

Afsar

Wednesday, April 3, 2019 2:48 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

NDES expired Exchange Enrollment Agent (Offline)

Question

Answers

All replies