Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES).

In the default configuration, the Network Device Enrollment Service (NDES) only accepts unencrypted connections via HTTP. It is recommended that at least the NDES administration web page be configured for HTTP over TLS (HTTPS) to make it difficult to capture network traffic. The following is a guide.

For a closer look at the need to use SSL, see the article "Should HTTPS be used for the Network Device Enrollment Service (NDES)?„.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Apply for an SSL certificate

First, a Web Server certificate must be requested for the NDES server.

Binding the SSL certificate to the NDES server

After an SSL certificate has been requested for the NDES server, it must now be bound to the web server. To do this, the Internet Information Services (IIS) Manager is called up via the administration tools.

NDES is installed in the default web site of the web server. Accordingly, the bindings must be edited here.

If there is no SSL binding yet, a new one must be created.

The Default Web Site should answer all requests not defined otherwise, so the default setting regarding IP addresses and hostnames can be kept. Only the SSL certificate must be selected.

Enforce SSL usage

Now the web server supports requests via HTTPS, but for NDES these are not enforced, i.e. requests can still be submitted via HTTP. If you want to enforce SSL specifically for NDES, go to the default web site and click "View Applications" on the right side.

NDES splits into two applications:

  • The interface for requesting one-time passwords (mscep_admin)
  • The interface for requesting the certificates (mscep)

It is recommended to force HTTPS at least for the mscep_admin application to prevent the logging of credentials. The mscep application can optionally also be configured to force HTTPS, but this is not absolutely necessary since encryption already takes place at the protocol level (see article "Should HTTPS be used for the Network Device Enrollment Service (NDES)?"."). The procedure is identical and is therefore described only once for the mscep_admin application.

After double-clicking on the application, select the "SSL Settings".

Here you activate the "Require SSL" checkbox.

Then click on "Apply" on the right-hand side.

Now, if desired, the mscep can be configured according to the identical pattern. One clicks before once on a node outside of the default web site and afterwards again on the default web site, in order to receive the applications again for the selection.

NDES should now refuse to accept connections over HTTP without TLS.

Related links: