Thursday, July 29, 2010

Misc 47

Now, if you've been following the previous articles, you would know that enrolling a certificate manually by copying and pasting requests is a chore. There is actually a simpler way to do this.
Introducing Microsoft's Network Device Enrollment Service, Microsoft's implementation of SCEP (Simple Certificate Enrollment Protocol) which they call MSCEP. This allows network devices, such as routers, to conveniently enroll for a certificate without needing to copy the entire certificate request over.

The NDES service can either be installed on a CA, or on a separate W2K8 machine. If you wish to get a certificate for SSL such as for WebVPN, then the Certificate Authority in this case must be a Standalone one. For some reason I was not able to enroll a Web Server certificate no matter what "usage" commands I used, the only certificate that the server sends during enrollment for an Enterprise CA is the IPSec Intermediate Offline certificate template, which is not usable as a SSL certificate.

Now, I'll assume that you know how to set up a Standalone CA. I have these roles installed, but you only need Certification Authority and the Network Device Enrollment Service:

During the installation, you can specify to use a user account to authorize the certificate. Before we can use that user account for this purpose, we'll need to add him/her to the IIS_IUSRS group. In this example, I'm going to add my Administrator account into that group. To do this, we'll open up MMC and add the Local Groups and Users snap-in:

Now you can add Administrator into IIS_IUSRS group:

Now you can complete the NDES installation. We'll now hop onto a Router to enroll the certificate. To do this, we'll first make sure that the device is server is reachable from your device, then configure a trustpoint like this:
crypto key gen rsa gen export label RSAKEYPAIR
crypto pki trust TRUSTPOINT
enroll url
subject CN=
rsakeypair RSAKEYPAIR

In this case, is my CA/NDES and is my router. Now we'll need to make sure that the router's clock is accurate (this is used for checking certificate validity):
conf t
clock time SGT +8
clock set 11:03:00 July 29 2010

Now we'll add the CA certificate into the router:
crypto pki authenticate TRUSTPOINT

If it's all successful, you'll be asked to accept the certificate. Finally, we'll enroll the router's certificate through:
crypto pki enroll TRUSTPOINT

Now you'll get a message asking for a security code. This code can be obtained by visiting the mscep_admin page locally from the CA through:

Now simply paste the code into your terminal twice and your certificate should enroll successfully! In some cases, you may need to manually issue the certificate. To do this, browse over to your Certification Authority console and down to Pending Certificates. Right-click on your certificate and click All Tasks - Issue:

You would have to wait for some time before the certificate reaches your router. When it does come in, this is the message you'll see:
Jul 29 03:17:49.271: %PKI-6-CERTRET: Certificate received from Certificate Authority

No comments :

Post a Comment