NDES certificate problem

Brass Contributor

I'm configuring NDES service on one server and found a little issue with templates.

I run the NDES setup which completed successfully as it used the built-in templates

CEP Ecnryption and

Exchange Enrollment Agent (offline)


As these are the default templates we'd like to chenage with duplicated ones as per this


Service Setup

During setup, the service enrolls for the two service certificates based on two preconfigured certificate templates.


  • Exchange Enrollment Agent (Offline request)  This certificate template is used for enrolling for the enrollment agent certificate.

  • CEP Encryption  This certificate template is used for enrolling for the key exchange certificate.


Note  These certificate templates are hard-coded to the Network Device Enrollment Service setup and cannot be modified.


In addition, setup will set the required permissions on the Certificate Template object and the CA that the service is configured with, for example, adding the required Certificate Templates to the list of templates supported by the CA.


Service Startup

When the service starts, it searches for two certificates that can be used for the previous two scenarios. These certificates do not have to be the same certificate the service enrolled for during setup. The following logic is used by the service for finding the certificate for the two scenarios at startup.


  1. The service searches in the machine MY store AND

  2. The certificate must have the following extensions AND

    • For the Key Exchange certificate:

      • ExtendedKeyUsage: "Certificate Request Agent"

      • KeyUsage: Encryption (0x20)

    • For the enrollment agent certificate:

      • ExtendedKeyUsage: "Certificate Request Agent"

      • KeyUsage: Signature (0x80) 

  3. The certificate must not be archived AND

  4.  The computer must have the private key for the certificate AND

  5.  The certificate must be issued by the same CA that the service is configured for AND

  6.  The certificate must have a valid chain AND

  7.  If there is more than one certificate for either of the certificates that meet the previous criteria, the service will select the most recent one (the latest that was issued)


So we'd like to generate to new certificate from duplicated templates.

We had no problem with the CEP's duplicate which we could generate from the "computer" certificate console in mmc.

For the Exchange Enrollment Agent duplicate we could only generate it if we do from the "user" certificate console in MMC


is that normal?



0 Replies