The Network Device Enrollment Service (NDES) makes it possible for software running on network devices such as routers and switches (which cannot otherwise be authenticated on the network) to enroll for certificates from a CA. Certificates obtained by these devices are typically used for enabling IPsec.
NDES uses the following components:
|Network device||The network device is the router, switch, or other device that needs to obtain a certificate. Network devices are devices that are unable to request a certificate directly from the CA, for example non-Windows devices that are not domain members.|
|Device administrator||The device administrator is the person responsible for managing the network device.
|Registration authority (RA)||The registration authority (RA) is a Windows server that is running the NDES service.
The process for obtaining a certificate for the network device is as follows:
- On the network device, the device administrator runs the software included with the device to generate a key pair.
- The device administrator connects to the registration authority and requests a password that will be included with the certificate request.
- Use the following URL to request the password: http://servername/certsrv/mscep_admin
- The password is returned in a Web page generated by the RA.
- On the network device, the device administrator completes the certificate request process. The certificate request is submitted to the RA and includes the password. Use the following URL to request the certificate: http://servername/certsrv/mscep
- The RA forwards the certificate request to the CA.
- The CA approves the certificate request and returns the certificate to the RA.
- The RA returns the certificate to the network device.
To configure NDES:
- Create a user account that will be used for the NDES service. This user account must be a member of the IIS_IUSRS built-in group on the local system.
- On the RA, install the Active Directory Certificate Services role with the Network Device Enrollment Service (NDES) role service. The RA does not need to be a CA. During the installation, you will specify the NDES service user account and the CA to which certificate requests received from the RA should be submitted.
- If you are using an enterprise CA, configure certificate template permissions to allow the necessary entities to request certificates. The following table lists the three certificate template types that are used:
|Exchange Enrollment Agent (Offline request)||This certificate template is an enrollment agent certificate that enables the necessary components in the request process to request a certificate on behalf of the network device. The registration authority requests this certificate for itself. Assign the following permissions to this template:
|CEP Encryption||This certificate template is a key exchange certificate that identifies how key information will be exchanged securely. The registration authority requests this certificate for itself. Assign the following permissions to this template:
|IPsec (Offline request)||By default, the RA is configured to request an IPsec certificate for network devices. This will be the template that is used to issue a certificate to the network device. Assign the following permissions to this template:
You can configure the RA to request a certificate based on a different template if desired.
- Configure the CA to issue the three required templates.
Be aware of the following when using NDES:
- When you add the NDES service, IIS is installed if it does not already exist. Two virtual directories are created in IIS:
- The certsrv/mscep_admin virtual directory is used to submit password requests.
- The certsrv/mscep virtual directory is used to submit certificate requests from the network device.
- By default, the RA can accept only 5 active registrations at a time. The registration status is determined by the password.
- The RA can issue only 5 passwords for certificate requests. If you need more active requests, increase the number of allowed passwords.
- After 60 minutes, the password expires and cannot be used to complete the request. You must request a new password if the password has expired.
- If you restart IIS, the password cache is cleared. This allows new password requests, but also invalidates any current passwords.
- You can configure the RA to accept requests without a password.
- Instead of modifying the templates used for NDES, you should duplicate the template to create a new one. When you do this, you must modify the registry settings on the RA to identify the new template names to use.