Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Does NDES have a dependency on NTAuthCertificates?

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

NDES can be operated without membership of the Certification Authorities concerned in NTAuthCertificates.

The only exception is the renewal mode, i.e. when a certificate request is to be signed with an existing certificate. In this case, the certificate authority that issued the certificates to be renewed must be a member of NTAuthCertificates. If this is not the case, the NDES server will use the Event no. 28 log when a certificate request is processed in renewal mode and reject it.

However, most client-side implementations of the SCEP protocol do not use renewal mode anyway, so this should not be a major limitation. The biggest Gateway The regular Certificate Enrollment with or without a one-time password remains, the effects of which can, for example, be compared with the TameMyCerts Policy Module for Microsoft Certification Authority can be drastically reduced.

Does NDES use the Enroll on Behalf Of (EOBO) mechanism?

The answer to this question is clearly "no" - the certificate request via NDES does not use an Enroll on Behalf of. It is simply a signed certificate request. Accordingly, it also works if the certificate authority is not a member of NTAuthCertificates.

Conversely, however, this also means that NDES cannot work with Restricted Enrollment Agents.

If you want to equip your certification authority with one or more Network Device Registration Service (NDES) operate and in parallel with Extended Key Usage Constraints make sure that the "Certificate Request Agent" Enhanced Key Usage is included in the list of enhanced key usages, since the Registration Authority (RA) certificates of the NDES must always come from the same certification authority.

Related links:

2 thoughts on “Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?”

Comments are closed.