Renew expired NDES Certificates

Renew expired NDES Certificates

Von in Microsoft

Today I was at a customer where the NDES Sever no longer issued SCEP certificates.
It quickly became apparent that the NDES certificates were expired.

There were Events with ID 2 and 10) in the EventLog.

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

and

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

When you try to access the admin page, the following error occurs

The solution was to renew the expired certificates

1.) Create Inf files for the certificate request

You need two Certificates in order to run NDES – One Exchange Enrollment Agent (Offline request) and one CEP Encryption certificate. For both requests you need a inf file

EEARequest.inf file for Exchange Enrollment Agent (Offline request)

[NewRequest] 
Subject = "E=my@email.de, CN=MyCompany Registration Authority SCEP01, OU=IT, O=MyCompany, L=City, S=BW, C=DE"
Exportable = TRUE 
KeyLength = 2048
KeySpec = 2 
KeyUsage = 0x80 
MachineKeySet = TRUE 
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" 
ProviderType = 1
[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes]
CertificateTemplate = EnrollmentAgentOffline

CEPEncryption.inf file for CEP Encryption

[NewRequest] 
Subject = "E=my@email.de, CN=MyCompany Registration Authority SCEP01, OU=IT, O=MyCompany, L=City, S=BW, C=DE"
Exportable = TRUE 
KeyLength = 2048
KeySpec = 1 
KeyUsage = 0x20 
MachineKeySet = TRUE 
ProviderName = "Microsoft RSA Schannel Cryptographic Provider" 
ProviderType = 12
[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes]
CertificateTemplate = CEPEncryption

The user who requests the certificate have to have enrollment permissions on the two certificate templates

2. Enroll Certificates with inf files

Now, you have two inf files and the certificate template has propper permissions.

Create Request files:

certreq.exe -f -new EEARequest.inf EEARequest.req
certreq.exe -f -new CEPEncryption.inf CEPEncryption.req

Create Certificates:

To create the certificates you need the “Config” Name of your CA. Your can get these value by simply enter certutil.exe.
Then select the matching CA for the request

certreq.exe -submit -config "yourConfigEntry" EEARequest.req EEARequest.cer
certreq.exe -submit -config "yourConfigEntry" CEPEncryption.req CEPEncryption.cer

Accept Certificates

certreq.exe -accept EEARequest.cer
certreq.exe -accept CEPEncryption.cer

Now you should see two new issued certificate in your local computer certificate store

Add read permissions for iis app pool service account to private Key

If you do not know what service account the NDES is running under, you can easily check it via the IIS

Then you can add the required read permissions to the private keys (both new created certificates)

Reset Internet Information Service

The last step is resetting the IIS

IISreset

After the Reset you should now be able to access the NDES Admin Page

In the EventLog you should see Event ID 1 “The Network Device Enrollment Service started successfully.”