MicrosoftHello Dagmar, thank you for your excellent post on hardening NDES. Your statement about EDITF_ATTRIBUTEENDDATE is not quite right though. This flag seems to only allow to shorten the certificate validity period. If you try to extend it, the request will get denied with "The specified time is invalid. 0x8007076d (WIN32: 1901 ERROR_INVALID_TIME).".
To all who might make use out of it, I was able to write a custom policy module for the certification authority that preserves the functionality of the original one and adds (amongst other features) the possibility to apply constraints for Subject DN and Subject Alternative Name (which fields, and which content). It can be used free of charge, find it on GitHub: https://github.com/Sleepw4lker/TameMyCerts. This does not only work for SCEP but for all offline certificate requests in general. We use it with about 750k certificates per year that get requested via our 6 SCEP servers and an AirWatch Instance with 100k+ managed devices. Kind regards.
