Hello, this is Jonathan from the Directory Services team.
The Network Device Enrollment Service (NDES) is one of the role services of the Active Directory Certificate Services (ADCS) role. It implements the Simple Certificate Enrollment Protocol (SCEP). SCEP defines the communication between network devices and a Registration Authority (RA) for certificate enrollment.
When the NDES role is added, it automatically requests two certificates that it uses as part of its functionality. The first is an Exchange Enrollment Agent certificate the other is a CEP Encryption certificate. In both cases, the private keys associated with this certificate are not exportable, so it is difficult to share these certificates amongst multiple instances of the RA.
This document describes the steps necessary to replace the original certificates requested during the install of the role with a new set of certificates requested manually afterwards. As part of the manual request process, the Administrator can specify that the private keys be exportable facilitating the sharing of certificates and keys amongst multiple servers.
While not recommended, it assumed that the risks associated with this practice are understood and accepted by the Administrator.
Finally, this document assumes that the issuing CA is running Microsoft Windows Server 2008 Active Directory Certificate Services in Enterprise mode.
The first step in the process is to remove the original certificates from the server. Next, new certificates will be requested from the CA and installed in the Local Computer Personal store. After that, the permissions on the new private keys will be modified to permit the SCEP Agent account specified during role install access to the private keys. Finally, the IIS service will be reset. NDES will locate the new certificates when it receives the first SCEP request from a network device.
After the NDES role is installed, there will be two certificates in the Local Computer Personal store issued to the NDES Registration Authority. The name of the RA is constructed like so:
These certificates should be revoked on the CA and removed from the server. Simply deleting the certificates from the Local Computer Personal store is sufficient, but Windows stores private keys separately from the associated certificate so deleting the certificates will result in orphaned private keys that remain on the server. It is good practice to delete the private keys first, and then remove the associated certificates.
The first step is to identify the private keys. NDES does not support the new Crypto Next Generation (CNG) Cryptographic Service Providers (CSP) introduced in Windows Server 2008. Instead, it uses the legacy CryptoAPI (CAPI) providers. The default Windows CAPI CSPs store private keys encrypted in the file system. You can use the following method to locate the encrypted key files so that you can delete them.
The private key files for certificates issued to the Local Computer are located in the following directory:
ProgramData is a hidden system directory so you must be a local Administrator to perform this task. Once you have opened the directory, you then need to determine which of the files contained therein is associated with the certificate you wish to remove. This is easily accomplished using certutil.exe.
Certutil can be used to enumerate the certificates in the Local Computer Personal store and display the associated key container. The name of the key container will match the name of the file in the directory mentioned above. Please note, non-Microsoft CSPs may not behave in this manner since key storage implementations can vary from vendor to vendor, but the behavior is consistent amongst the Microsoft default CAPI CSPs.
The following command will search the Local Computer Personal store for all certificates issued to the RA and display the key container name.
for /f "tokens=*" %i in ('certutil -store MY %COMPUTERNAME%-MSCEP-RA') do @echo %i | findstr /i /c:"Unique container name"
The above command line has been wrapped, but it should be entered on one line in the command prompt. It uses the for command to step through each line of the certutil.exe output and pipe the result to the findstr.exe command. Findstr looks for the string “Key Container” and prints the line to the command prompt if it is found. Any line that does not contain the string “Key Container” is ignored.
The actual key container names will vary from machine to machine, but the output should look similar to the following:
Key Container = 355b8e247af95b2340ba226a6bc25ab5_cde5adfd-972a-420b-986e-e40fef6ea415
Key Container = bc1fa1b6c3c724366bcb30b581f4280f_cde5adfd-972a-420b-986e-e40fef6ea415
Putting everything together, you would delete the following files:
Once the private keys have been deleted, you can simply delete the certificates in the Local Computer Personal store issued to NDES RA (%COMPUTERNAME%-MSCEP-RA).
The next step in the process is to request new certificates from the CA to be used by the NDES RA. The following steps will use certreq.exe to create and submit the certificate request, and to retrieve and install the issued certificate. Let's start with the Exchange Enrollment Agent certificate.
First, you'll need to create an .INF file containing information that certreq.exe will use to generate the request. A sample ws08_ndes_sign.inf is included below.
; FileName: ws08_ndes_sign.inf
Once the ws08_ndes_sign.inf file has been created you use certreq.exe to generate the request, submit it to the CA, retrieve the issued certificate, and then install it. Follow these steps to accomplish these tasks:
Figure 1 below shows the commands described above and the expected output.
Next you’ll need to request the CEP Encryption certificate. As with the Exchange Enrollment Agent certificate, you will need to create and .INF file that contains information that certreq.exe will use to generate the request. A sample ws08_ndes_xchg.inf file is included below.
; FileName: ws08_ndes_xchg.inf
; Subject must be included in the file
Subject = "CN=WS08SRV03-MSCEP-RA,OU=Accounting,O=Contoso,L=Redmond,S=Washington,C=US"
Exportable = TRUE
Once the ws08_ndes_xchg.inf file has been created you use certreq.exe to generate the request, submit it to the CA, retrieve the issued certificate, and then install it. Follow these steps to accomplish these tasks:
Figure 2 below shows the command described above and the expected output.
You can now run the following command to verify that both certificates have been installed in the Local Computer Personal store:
certutil -store My %COMPUTERNAME%-MSCEP-RA
The output should look similar to the following:
================ Certificate 1 ================
Next, the permissions on the private keys files will need to be modified to permit the MSCEP RA service account to access the associated key material.
Windows Server 2008 now makes it easier to manage permissions on private keys through the Certificates snap-in. Once the new NDES RA certificates have been installed, the Administrator needs to grant access to the associated private keys to the MSCEP RA service account.
To grant the MSCEP RA access to the private keys, follow these steps:
1. Open the Certificates MMC snap-in focused on the Local Computer.
2. Open the Personal store, and select the CEP Encryption certificate issued to the MSCEP RA.
3. Right-click on the certificate, select All Tasks from the context menu, and then select Manage Private Keys... as in Figure 3 below.
4. This will launch the ACL Editor.
5. Click Add, and select the NDES service account created prior to installing the NDES role.
6. Click Ok.
7. Verify that the NDES service account has full control over the key, and then click Ok.
Repeat this process with the Exchange Enrollment Agent certificate issued to the MSCEP RA account.
Once all the above steps have been complete, reset the IIS service on the NDES server. To do this, launch the command prompt and run iisreset.exe. The NDES service is now ready to accept device administrator password requests as well as SCEP enrollment requests from the network devices.
At this point the device administrator should attempt an SCEP enrollment from a network device to verify that the NDES service is configured correctly.
To obtain the SCEP password, the device administrator uses Internet Explorer to go to the following site:
With the password in hand, the device administrator configures the network device with the password and the enrollment site in order for the device to enroll for the certificate. The enrollment site is:
If enrollment succeeds the NDES service is configured correctly.
The goal of this document was to replace the non-exportable certificates and keys generated during the install of the Network Device Enrollment Service role with new certificates that are exportable. The server administrator should now take steps to export the CEP Encryption and Enrollment Agent certificates issued to the MSCEP RA so that they can be imported on another server as needed.
- Jonathan Stephens
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.