none
SCEP Creating Certificates RRS feed

  • Question

  • I have a RADIUS policy for WiFi access that requires a certificate to be on a WiFi device, e.g. iPhone.

    I have this working using Client Authentication certificates, but the process is very manual.

    We have recently setup an MDM solution that utilises a SCEP server to create a certificate and place it on the iPhone.

    However, the SCEP only seems to create "IP Sec IKE Intermediate" certificates, whereas I want to put "Client Authentication" certificates on the phones.

    I changed the 3 registry entries in

    HKEY_L_M/SOFTWARE/Microsoft/Cryptography/MSCEP

    to point to the Client Authentication certificate template that I want to be used to create certificates to be installed on the iPhone.  But a certificate is not created.

    Will SCEP only create and install an "IP Sec IKE Intermediate", e.g. IPSEC (Offline Request), certificate?

    What am I doing wrong when trying to use SCEP with an MDM solution to get a certificate on a device to allow them access to our corporate WiFi network?

    Thanks.

    Please don't tell me to use the SCEP forum, as I already did that and they sent me to the Certificates forum.

    Thursday, March 7, 2013 12:49 AM

Answers

  • This typically occurs when you have incorrectly assigned permissions at the certificate template level.

    1) The NDES service account must be assigned read and Enroll permissions on all three certificate templates designated

    2) The account that is used to get the one time secret for the NDES request must be assigned Read and Enroll permissions on all three certificate templates designated

    3) The three certificate templates must be available for enrollment

    4) You must do an IISRESET on the NDES server after modifying the registry

    5) In the MDM solution, you must designate whether the request is for a signing, encryption, or general purpose template to choose between the three templates

    Brian

    • Marked as answer by 朱鸿文 Thursday, March 28, 2013 5:28 AM
    Saturday, March 16, 2013 1:17 PM

All replies

  • The Microsoft NDES server [SCEP implementation] is not tied to IPsSEC IKE Intermediate certificate template... The template is chosen based on the key usage submitted by the client [iPhone]. The iPhone determines what key usage to send based on the profile which is coming from the MDM.

    Can you elaborate on which registry settings you changed?

    Andrew

    Friday, March 15, 2013 11:28 PM
  • This typically occurs when you have incorrectly assigned permissions at the certificate template level.

    1) The NDES service account must be assigned read and Enroll permissions on all three certificate templates designated

    2) The account that is used to get the one time secret for the NDES request must be assigned Read and Enroll permissions on all three certificate templates designated

    3) The three certificate templates must be available for enrollment

    4) You must do an IISRESET on the NDES server after modifying the registry

    5) In the MDM solution, you must designate whether the request is for a signing, encryption, or general purpose template to choose between the three templates

    Brian

    • Marked as answer by 朱鸿文 Thursday, March 28, 2013 5:28 AM
    Saturday, March 16, 2013 1:17 PM