Today I was at a customer where the NDES Sever no longer issued SCEP certificates.
It quickly became apparent that the NDES certificates were expired.
There were Events with ID 2 and 10) in the EventLog.
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
and
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
When you try to access the admin page, the following error occurs
The solution was to renew the expired certificates
1.) Create Inf files for the certificate request
You need two Certificates in order to run NDES – One Exchange Enrollment Agent (Offline request) and one CEP Encryption certificate. For both requests you need a inf file
EEARequest.inf file for Exchange Enrollment Agent (Offline request)
[NewRequest]
Subject = "E=my@email.de, CN=MyCompany Registration Authority SCEP01, OU=IT, O=MyCompany, L=City, S=BW, C=DE"
Exportable = TRUE
KeyLength = 2048
KeySpec = 2
KeyUsage = 0x80
MachineKeySet = TRUE
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
ProviderType = 1
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes]
CertificateTemplate = EnrollmentAgentOffline
CEPEncryption.inf file for CEP Encryption
[NewRequest]
Subject = "E=my@email.de, CN=MyCompany Registration Authority SCEP01, OU=IT, O=MyCompany, L=City, S=BW, C=DE"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0x20
MachineKeySet = TRUE
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
ProviderType = 12
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes]
CertificateTemplate = CEPEncryption
The user who requests the certificate have to have enrollment permissions on the two certificate templates
2. Enroll Certificates with inf files
Now, you have two inf files and the certificate template has propper permissions.
Create Request files:
certreq.exe -f -new EEARequest.inf EEARequest.req
certreq.exe -f -new CEPEncryption.inf CEPEncryption.req
Create Certificates:
To create the certificates you need the “Config” Name of your CA. Your can get these value by simply enter certutil.exe.
Then select the matching CA for the request
certreq.exe -submit -config "yourConfigEntry" EEARequest.req EEARequest.cer
certreq.exe -submit -config "yourConfigEntry" CEPEncryption.req CEPEncryption.cer
Accept Certificates
certreq.exe -accept EEARequest.cer
certreq.exe -accept CEPEncryption.cer
Now you should see two new issued certificate in your local computer certificate store
Add read permissions for iis app pool service account to private Key
If you do not know what service account the NDES is running under, you can easily check it via the IIS
Reset Internet Information Service
The last step is resetting the IIS
IISreset
After the Reset you should now be able to access the NDES Admin Page
In the EventLog you should see Event ID 1 “The Network Device Enrollment Service started successfully.”
Schreibe einen Kommentar