Windows Server 2008 R2’s feature lets you issue certificates to network devices
If you have a large network with many network devices that need to be issued with a certificate that must also be trusted by Windows clients, Windows Server 2008 R2’s Network Device Enrollment Service (NDES) provides a solution for issuing and managing certificates. (See also, "DNS in Windows Server 2008 R2" and "Windows Deployment Service in Server 2008 R2").
NDES is Microsoft’s implementation of the Simple Certificate Enrollment Protocol. SCEP is an Internet-Draft standard developed by Cisco Systems and submitted to the Internet Engineering Task Force that helps solve the problem of manually requesting and installing certificates by enabling devices to enroll for x509 v3 certificates from any CA that supports SCEP.
NDES in Server 2008 and later includes some welcome improvements over the old SCEP add-on, such as the ability to renew certificates using a previously issued certificate to validate the request.
Distributing certificates to Windows OSs from an Active Directory (AD) enterprise Certification Authority (CA) is relatively simple and can be automated using Group Policy Certificate Autoenrollment after a PKI is in place.
But to issue certificates to devices that don’t have accounts in AD, sysadmins must manually create Public-Key Cryptography Standards (PKCS) requests and install certificates on those devices. This can be a time-consuming task in organizations that have hundreds of devices that aren’t part of AD.
This article provides an overview of how to set up NDES as part of an already existing PKI, and the steps for issuing a network device with a certificate.
Due to the complexity of PKIs and the varying requirements for different scenarios, you should carefully study “Microsoft SCEP Implementation Whitepaper” for how to implement NDES. You should also test thoroughly in a lab environment before deploying NDES in your production environment.
SCEP in Windows Server
NDES is a native component of Server 2008 (Enterprise and Datacenter editions only) and later, and can be installed on a machine that’s running a standalone CA or on a dedicated server that communicates with an issuing enterprise CA.
The NDES server role shouldn’t be installed on a device that’s running the enterprise CA role, to minimize the attack surface and protect the CAs private key. NDES is intended for organizations that already have a PKI in place and want to issue certificates to network devices, such as routers and firewalls, to improve security by protecting network traffic with IPsec.
For example, this could include IPsec VPNs between routers or from notebooks to network edge devices. Not all devices support SCEP, so you should check with the equipment manufacturer.
Previous implementations of SCEP were available in the Windows Server 2003 Resource Kit or as a downloadable add-on for Windows 2000 Server, but differ from what’s outlined in this article. So if you’re working with versions of Windows earlier than Server 2008, you should check Microsoft’s website for details.
You can download the add-on for Windows 2003 at Microsoft’s site. For additional information, check out the Windows IT Pro article “Setting Up a VPN that Uses Certificates,” InstantDoc ID 49738.
NDES in Windows Server 2008 R2
Server 2008 R2 and Server 2008 SP2 include changes to NDES that let administrators more easily request and renew expired certificates. Single Password Mode, which can be enabled on the NDES machine by setting the HKEY_LOCAL_MACHINE\Microsoft\Cryptography\MSCEP\UseSinglePassword REG_DWORD registry value to 1, lets admins request a password for certificate enrollment that doesn’t expire, and is stored and encrypted in the system registry
This makes it easier to renew expired certificates and a single password can be deployed to multiple network devices. Certificate renewal is enabled by default in Server 2008 R2 and Server 2008 SP2.
If your PKI consists of a standalone CA, it should be in an isolated certification hierarchy that serves only SCEP-enabled devices. The root CA shouldn’t be trusted by other devices on the network.
If your organization uses Cisco equipment and Windows clients don’t need to trust network devices, you might be able to deploy a Cisco IOS Certification Authority server—a CA that runs on a Cisco device running Internetwork Operating System. Additionally, some devices have limited support for certain PKI configurations, including long encryption key lengths, subordinate CAs, and multi-tier PKI hierarchies.
Standalone or Enterprise CA?
Implementing NDES with a standalone CA that’s dedicated to providing network devices with certificates might be better suited to situations where Windows clients aren’t required to trust network devices; for instance, where router-to-router VPNs will be configured with IPsec encryption. An enterprise CA and an NDES server might be more convenient if Windows clients need to trust network devices for the purposes of establishing VPN connections.
Setting up NDES
Let’s install the NDES server role to communicate with an issuing enterprise CA. This is a typical setup where certificates are issued to network devices that will be trusted by domain-joined Windows clients. You’ll need an AD enterprise CA already in place, with a root CA configured and taken offline.
Before installing NDES, we need to create two domain user accounts: NDES_Admin and NDES_ServiceAccount. The NDES_Admin account is used for installing the NDES server role and requesting an enrollment password.
The NDES_ServiceAccount is used to run the service and is specified during the setup process. Add NDES_Admin to the local Administrators group on the NDES box and to the Enterprise Admins group in the AD domain. Add the NDES_ServiceAccount group to the local IIS_IUSRS group on the NDES box.
Duplicate the Certificates
Now we need to duplicate the CEP Encryption, Exchange Enrollment Agent (Offline Request) and IPsec (Offline Request) certificates. To do so, log in to your issuing CA as a domain administrator.
1. Open the Certification Authority Microsoft Management Console (MMC) from Administrative Tools on the Start menu.
2. In the left pane of MMC, expand the CA. Right-click the Certificate Templates folder and select Manage from the menu. The Certificate Templates MMC will open.
3. In the Certificate Templates MMC, right-click the Exchange Enrollment Agent (Offline request) template and select Duplicate Template from the menu.
4. In the Duplicate Template dialog box, select Windows Server 2008 Enterprise and click OK.
5. In the Properties dialog box on the General tab, enter NDES Exchange Enrollment Agent (Offline request) into the Template display name box.
6. Switch to the Security tab and click Add to assign permissions for the NDES_Admin group. Enter NDES_Admin into the box and click OK.
7. Set permissions on the Security tab for NDES_Admin to Read and Enroll.
8. Repeat steps 3 through 7 for the CEP Encryption template.
9. Repeat steps 3 through 7 again for the IPsec (Offline Request) template. Additionally, we need to set permissions for NDES_ServiceAccount on the NDES IPsec (Offline Request) template to Read and Enroll.
10. Close the Certificate Templates MMC.
11. In the Certification Authority MMC, click the Certificate Templates folder in the left pane. The currently published templates will be displayed on the right.
12. Right-click the Certificate Templates folder in the left pane and select New, Certificate Template to Issue from the menu.
13. In the Enable Certificate Templates dialog box, which Figure 1 shows, select the three NDES templates and click OK.
We’ve got the necessary templates in place. Next, we need to assign accounts appropriate permissions to the issuing CA.
1. In the Certification Authority MMC, right-click the CA in the left pane and select Properties from the menu.
2. Select the Security tab and click Add to assign permissions for NDES_ServiceAccount.
3. Type NDES_ServiceAccount into the box and click OK.
4. Set permissions on the Security tab for NDES_ServiceAccount to Read and Request Certificates (see Figure 2).
5. Click OK to close the properties dialog box.
The issuing CA is properly configured. Now we can install the NDES server role on a separate server.
1. Log in to the NDES box using the NDES_Admin account created earlier.
2. Open Server Manager from the Start menu.
3. In the left pane of Server Manager, right-click Roles and select Add Roles from the menu.
4. Click Next on the Before You Begin screen in the Add Roles Wizard.
5. Select Active Directory Certificate Services on the Select Server Roles screen and click Next.
6. Click Next on the Introduction screen.
7. On the Select Role Services screen, clear Certification Authority and select Network Device Enrollment Service. As I mentioned previously, NDES can’t be installed on the same machine as a CA.
8. In the Add Roles Wizard dialog box, click Add Required Role Services to install the necessary IIS and Remote Server Administration Tool components.
9. On the Specify User Account screen click Select User. In the Windows Security dialog box, enter the username and password for the NDES_ServiceAccount and click Next.
10. Click Browse in the Specify CA for Network Device Enrollment Service dialog box.
11. In the Select Certification Authority dialog box, select the issuing CA, click OK and Next to continue.
12. On the Specify Registration Authority Information screen, modify the Country/Region field as necessary and click Next.
13. On the Configure Cryptography for Registration Authority screen, accept the default settings, which you can see in Figure 3, and click Next.
14. Click Next on the Web Server (IIS) introduction screen.
15. Accept the defaults on the Select Role Services screen by clicking Next.
16. Click Install on the Confirm Installation Selections screen.
17. Click Close on the Installation Results screen.
Modify the NDES Registry
Before we can request a password from NDES to start the certificate request process, we need to set some registry keys on the NDES server to point to our NDES IPsec (Offline Request) certificate, then restart IIS.
1. Open regedit from the Search programs and files box on the Start menu.
2. In the left pane of Registry Editor, navigate to the following registry key: HKLM\Software\Microsoft\Cryptography\MSCEP (see Figure 4).
3. You’ll find three REG_SZ values: EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate. Set all three values to NDESIPSECIntermediateOffline, then close Registry Editor.
4. Type cmd into the Search programs and files box on the Start menu and click Ctrl+Shift+Enter to start the command prompt with administrative privileges.
5. Type the following two commands to restart IIS:
net stop w3svc
net start w3svc
6. Close the command prompt.
Request a Certificate
Next, you need to request a certificate for the network device. The first step in the process of setting up a certificate is to generate a public/private key pair on the device. This procedure will vary depending on your equipment. In Cisco IOS, the command might look something like this:
crypto key generate rsa general-keys modulus 2048
If you don’t specify the label switch in the crypto command, the name of the key pair defaults to the name of the network device. The key length, stated here as 2048, should match that specified on the Configure Cryptography for Registration Authority screen when NDES was set up.
On the NDES server, log in using the NDES_Admin account and open Internet Explorer. Enter the NDES admin page address http://localhost/certsrv/mscep_admin/. You’ll be presented with a hash value for the CA certificate and an enrollment challenge password that’s good for 60 minutes (Figure 5).
The network device then needs to be configured to trust the enterprise CA. Again, this procedure is different for every device and you will need to refer the manufacturer’s instructions. When configuring the device to trust the enterprise CA you’ll need to specify the name of the key pair created earlier and the enrollment URL for the enterprise CA, http://NDES1/certsrv/mscep.dll?operation=GetCACert&message=NetworkDeviceID.
SCEP calls to the NDES server are made via mscep.dll and HTTP GET commands. In the URL above you can see the GetCACert command is issued to NDES.
After the network device trusts the enterprise CA, we can issue a certificate request. Some devices require you to authenticate the enterprise as a separate step before you can issue a certificate request. You’ll also need the one-time enrollment password (OTP) issued by NDES to complete the request.
If a value for the KeyUsage extension isn’t specified in the request, a default value of 0xa0 will be used that refers to the GeneralPurposeTemplate as specified in the system registry. Other possible values include 0x80 for the SignatureTemplate and 0x20 for the EncryptionTemplate.
The enterprise CA will process the certificate request on behalf of NDES, which then issues the certificate to the network device.
Complexity Worth the Trouble
You have now learned how to set up NDES as part of an already existing PKI. However, before you ever do so, you should read the Microsoft white paper I referenced at the beginning, and you should also test thoroughly in a lab environment before deploying NDES in your production environment.