You are here
SEC0009 - Windows 2008 Enterprise CA SCEP Installation
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through an installation of Enterprise Certificate Authority (CA) and Network Device Enrollment Service (NDES) (aka SCEP) on a Windows 2008. We will test the server with a certificate request through web enrollment from a Windows client, as well as SCEP from a Cisco router. SCEP communication is captured and reviewed on Wireshark. At the end of the video, you should have a working CA server that you can use for certificate authentication in future labs.
Topic includes
- CA and NDES Installation
- Certificate Web Enrollment and SCEP
- 'crypto pki' on Cisco Router
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
20 comments
Sir
Sir
what is the benefit of the created user in the CA server ?
we didn't use it
Are you refering to the NDES
Are you refering to the NDES user or a regular user account?
i refering to the NDES user
i refering to the NDES user
If you do not use SCEP, then
If you do not use SCEP, then there is no need for NDES user.
what is the different between
what is the different between the CA temples ?
CA templates define the
CA templates define the characteristic of a certificate such as key length, included attributes, duration etc.
what is the difference
what is the difference between ipsec and ipsec offline templet
I would guess one is meant
I would guess one is meant for web-base cert request and the other is for SCEP. You need to look at specific settings under the templates.
Windows Server 2012 CA
Hello, great informative videos. Thanks for sharing. I have a question. We are deploying a new Windows CA using a two-tier hierarchy. The offline Root will be using the following settings: cryptographic provider RSA#Microsoft Software Key Storage Provider | Key Length = 2048 | Hash algorithm = SHA256. The same settings would be applied for the secondary CA (enterprise CA). I was wondering if you see any problems with this configuration? Thanks for you input and I see that you are an SC alum. I am a huge Trojan football Fan so Fight On!
Windows Server 2012 CA
That should not be a problem. You might want to try to increase the key length on the Root CA if possible and since it is only needed for signing Intermediate CA, which should not happen often, there should not be any issue with performance. Good luck.
configuration assistance
Thanks for your reply. So, I went ahead and configured the Offline Root CA with the settings I mentioned previously (I wanted to set the key length higher than 2048, however I'll explain why in a bit. Here's the settings I used again. Cryptography= RSA#Microsoft Software Key Storage Provider | Key Length= 2048 | Hash Algorithm = SHA256. After configuring the Offline Root CA with these settings, when I view the Root CA's certificate it shows Signature algorithm = RSASSA-PSS. I was told that this setting according to the ISE documentation would not work with ISE. Can you help me with this? Would this setting pose any problems? Also, I was told that ISE communicates with the entire certificate chain up to the root, so I couldn't raise the key length any higher than 2048? That's why I didnt' set it higher, but that seemed odd to me. We can communicate offline if necessary. Thanks a lot!
Failed to Request a User Certificate
Hi Metha, Great video series!! With the current video I got to the section where we request a user cert from a lab PC at minute marker 17:07. For me this failed with the error message below. After hours of googling I can't find a reason. Any ideas what the issue could be or where I can look on the server?
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq NN - New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.
Failed to Request a User Certificate
Are you running Win2008 with Enterprise CA? There is not much to go on from the error log. You may want to try to reinstall the CA.
Thanks for the reply! I
Thanks for the reply! I started with a fresh install of Windows 2008 r2 sp1 VM, installed AD and followed your instructions. I used enterprise CA. The event viewer logs did not help but my Windows troubleshooting experience is slim. It's possible I typed a password wrong in one of the entries for NDES_USER. I also found 2 hot fixes released by MS that Cisco says is required for auto-enrollment with ISE. I was hoping that this error at this point of your process may have been something you've seen before. If not, it must be specific to my environment. I may try again from scratch or keep digging through Google. I appreciate your help and all the instructional videos.
Use Internet Explorer instead
I received the same error, so I did a google search on the error and came across a site which directed me to use IE. This solved the problem. Try a using internet explorer!
Use Internet Explorer instead
Thank you for sharing your solution.
SCEP Portal not working
Hi Metha,
I followed every step from your video deploying Windows 2008 Server R2. The CA is working fine but I cant access https://localhost/certsrv/mscep_admin/
When I try access, I got:
Server Error in Application "DEFAULT WEB SITE/CERTSRV"
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
When I try access the URL from other machine, I got the error:
Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP).
You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.
For more information see Using Network Device Enrollment Service .
Do you know what I am missing?
User Certificate-Identiying Information
No further identifying information is required.
please select a key strength
key strength function is missing, and I am using windows 10 to login into the server to complete this steps, this has become a hurdle for me to complete the rest of the training. I will be glad if you can help me to understand why the function key to select the key strength is missing.
Notes: I am currently using windows 2008 server followed all your procedures but no luck.
I used windows 2016 server followed all your procedures and I keep getting the same issue,
the function dialogure box to select the key strenght is missing.
Thank you
meherthegeek
Hi Metha,
Hi Metha,
Just to add to the information i provided early on, I also receive this error message.
Error
Contact your administrator for further assistance.
Request Mode:- (unknown) Disposition:(never set) Disposition message:(none) Result:The operation completed successfully. 0x0 (WIN32: 0) COM Error Info:LastStatus:The operation completed successfully. 0x0 (WIN32: 0) Suggested Cause: No suggestions.
Error
Contact your administrator for further assistance.
Request Mode:- (unknown) Disposition:(never set) Disposition message:(none) Result:The operation completed successfully. 0x0 (WIN32: 0) COM Error Info:LastStatus:The operation completed successfully. 0x0 (WIN32: 0) Suggested Cause: No suggestions.
Thank you
meherthegeek
Key strength option is not showing
Hello Metha,
Thanks for sharing a good video, accordingly I have successfully configured CA Server in my EVE-NG Lab. I can access the url from windows 7 PC in LAB using url https://roundtable.com/certsrv.
When I am selecting user certificate there is no option to select the key strength.
I check in server local host url and from windows 7 PC in lab but result is same.... please help Sir.
Thanks,
Susheel