Cryptographic Hardening of SCEP Transactions for the Network Device Enrollment Service (NDES)

The Simple Certificate Enrollment Protocol (SCEP) is an ancient protocol from the early 2000s. It does not use Transport Layer Security (TLS). Therefore, the protocol messages are encrypted at the transport layer.

When sending the certificate request to the NDES server, the client will sign the certificate request with the NDES server's CEP encryption certificate (which was previously communicated to it via the GetCACert message).

Upon receiving the issued certificate, the NDES server will encrypt the response using a self-signed certificate temporarily generated by the SCEP client.

In both cases, a symmetric encryption algorithm is used.

Continue reading „Kryptographische Härtung der SCEP-Transaktionen für den Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Continue reading „Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).

The Network Device Enrollment Service (NDES) uses two certificate templates for its internal function to make it act as a Registration Authority (RA). These are published during role configuration of the NDES service on the configured certificate authority and certificates are requested:

  • CEP Encryption
  • Exchange Enrollment Agent (Offline Request)

These certificate templates are standard templates from the Windows 2000 world (version 1 templates), i.e. they cannot be edited. In addition, the Exchange Enrollment Agent (Offline Request) template is marked as a user template, i.e. during NDES role configuration the certificate is requested in the context of the installing user and then imported into the machine store. At the latest when the certificates are to be renewed after two years, things get complicated here.

It is therefore a good idea to use your own certificate templates for NDES. These can be adapted in terms of their key length, for example. The use of hardware security modules (HSM) is also possible in this way. Even automatic renewal can be configured.

Continue reading „Eigene Registration Authority (RA) Zertifikatvorlagen für den Registrierungsdienst für Netzwerkgeräte (NDES) verwenden“
en_USEnglish